During preauthentication, a user will enter their password which will be used to encrypt a timestamp, and then the domain controller will attempt to decrypt it and validate that the right password was used and that it is not replaying previous requests. From there the TGT will be issued for the user to use for future authentication. If preauthentication is disabled, an attacker could request authentication data for any user and the DC would return an encrypted TGT that can be brute-forced offline.