configure Kerberos client to always send (timestamp) preauthentication

Wood, Justin S Justin.S.Wood at
Mon Feb 3 01:39:39 EST 2003

Apologies if this is a dumb question - I've searched and searched but cant find an answer: is there any way to configure the (MIT?) Kerberos client[1] to always send "PA-ENC-TIMESTAMP" preauthentication with the initial 'AS-REQ' interaction?

I'm simply trying to remove the duplication when using a W2K Active Directory KDC whereby the first AS-REQ results in a KRB-ERROR response indicating  "KRB5KDC_ERR_PREAUTH_REQUIRED" (and I believe at this point kinit requests the password?); the AS-REQ is resent, this time using the timestamp preauthentication, and a TGT is granted successfully ('AS-REP').

Perhaps I've missed the point, but should it not be possible to configure the client to always send preauth, and hence remove the initial redundant protocol interaction?

Any help much appreciated.

[1] I'm using Redhat 8.0 with Kerberos 1.2.5-8 client

PS - I would never have known this was occuring if it wasnt for the security failure audits on the W2K Domain Controller indicating "Additional pre-authentication required", error code 0x19; this is then followed by the successful granting of a TGT for the target principal.

Justin Wood, Directory Specialist
Directory Technologies, H&I
Telstra Technology

More information about the Kerberos mailing list