Proxy users are not used in DSfW.
The Services part of the Trusted Computed Base has the rights to read users’ supplemental credentials for authentication. A separate KRB process reads user passwords and performs the authentication. Another event handler in eDirectory creates the supplemental credentials for the user whenever the password is changed for that user.