Win logon to a MIT Kerberos V KDC?

Actually davidchr davespam at
Mon Sep 30 21:30:09 EDT 2002

Win2k does support encrypted timestamp preauth, as your kdc software
would require.  I think that disabling this requirement is a red
herring, particularly given that one of the principals involved in the
authentication is actually a service principal and that Win2K clients
use encrypted timestamp out of the box.

Is it possible that the KDC is returning this error in response to some
other problem, possibly hidden?  

This message is provided "AS IS" with no warranties, and confers no
Message may originate from an unmonitored alias ("davespam").  If so,
use "davidchr" if a direct reply is required. 
Any opinions or policies stated within are my own and do not necessarily
constitute those of my employer.
I reside in Washington, USA, where Title 19 declares that sending me
Unsolicited Commercial Email can result in a $500 fine.
Harvesting of this address for purposes of bulk email (spam and UCE) is
expressly prohibited unless by my explicit prior request.  I retaliate
viciously against spammers and spam sites.

> -----Original Message-----
> From: Tony Hoyle [mailto:tmh at] 
> Sent: Friday, September 27, 2002 3:00 PM
> To: kerberos at
> Subject: Re: Win logon to a MIT Kerberos V KDC?
> On Fri, 27 Sep 2002 13:47:47 +0000, Turbo Fredriksson wrote:
> >>>>>> "Turbo" == Turbo Fredriksson <turbo at> writes:
> > 
> >     Turbo> Tried again, this time with all the principals having
> >     Turbo> +require_preauth.  Still work. Now I'm happy!
> > 
> > This was even a requirenment! My girlfriend tried to login, didn't 
> > work. What differed was that I had REQUIRES_PRE_AUTH, but 
> she didn't. 
> > Adding it to her principal allowed her to login. Wee (again :)
> >
> I'm coming in late to this discussion.  I'm getting the same 
> 'Preauthentication required' error but can't see from the 
> thread what you did differently.  What was the magic 
> incantation?  I had just assumed the Win2k client didn't 
> support preauthentication (although I'm not happy about 
> switching it off because it lowers security).
> I've recreated the host & user principals with des-cbc-crc as 
> default but still get the error.
> Tony
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list