DSfW is both an authentication service and an application service to which you can authenticate by using previously acquired credentials.
For example, in a Windows logon session, the user acquires a Kerberos ticket granting ticket (TGT), and uses that ticket to acquire service tickets to log in to the local workstation and the DSfW LDAP server for group policy lookup. While performing network authentication to eDirectory through Kerberos, the user could just as well be authenticating to another service joined to the domain, for example, a file server.
DSfW abstracts network authentication by using the GSS-API. It uses NTLM and Kerberos, as well as a third pseudo-mechanism (SPNEGO) that can securely negotiate between arbitrary concrete mechanisms.
Initial (logon) authentication is provided by the KDC (for Kerberos) and the Net Logon service (for NTLM). Additionally, Net Logon also provides pass-through authentication for challenge response protocols such as NTLM and Digest (for Windows services).