Kerberos currently has no forward secrecy properties. For example, an attacker with pervasive monitoring capability who gains access to a user's password can decrypt all past communications made by that user, and can also observe the new password when the user's password is changed. By performing ECDH exchanges during AP-REQ/AP-REP, TGS exchanges, and password changes, Kerberos can mitigate these risks.
SPAKE preauth will provided a certain measure of forward secrecy (with respect to user passwords, but not krbtgt keys) for AS exchanges when it is used.
Downgrade to story until it has children, for easier manipulation in JIRA.