handling of kerberos error in win2k

Jeffrey Altman jaltman2 at nyc.rr.com
Mon Jun 21 09:36:09 EDT 2004

When KDC_ERR_PREAUTH_REQUIRED is returned by the KDC,
the client will examine the KRB_ERROR data to determine
if the client understands the desired type of pre-authentication
data which is required.  If it does, it will simply return the
necessary information.  If it does and requires user input
the Kerberos SSP/AP will prompt the user for the necessary
input.  If the required pre-auth data cannot be provided the
Kerberos SSP/AP will return a failure code to the LSA which
in turn will log to the event log.

Jeffrey Altman

Lara Adianto wrote:

> hi, 
> I found a little light in my search, but haven't found
> a complete answer yet:
> When a user invoke the SAS sequence, winlogon will
> call GINA function: WlxWkstatLockedSAS, which in turn
> will call LsaLogonUser.
> LsaLogonUser does the authentication. If the
> authentication fails, it may return for example
> STATUS_LOGON_FAILURE (if username or password are
> wrong), STATUS_ACCOUNT_RESTRICTION (for example if the
> username and password are correct but the password has
> expired). In the later case, the LsaLogonUser will set
> SubStatus to STATUS_PASSWORD_EXPIRED. (I simplify the
> whole process to my own needs by the way, it should be
> more complicated than this)
> So I conclude (correct me if I'm wrong) that when the
> will simply return STATUS_LOGON_FAILURE to GINA or
> In case of KDC_ERR_PREAUTH_REQUIRED, is there any way
> for GINA to know that the exact error code, and not
> -lara-
> --- Lara Adianto <m1r4cle_26 at yahoo.com> wrote:
>>I'm experimenting with MIT KDC and windows 2000 as
>>client that authenticates to MIT KDC, and I might
>>to replace the GINA in the windows client in order
>>achieve what I want. 
>>Does anybody know, in windows 2000, who (LSA, GINA,
>>SSP) handles the following issue and how it is
>>1. If the authentication is failed because MIT KDC
>>KDC_ERR_KEY_EXPIRED, how does the SSP (I believe
>>SSP who captured this error from KDC) tell the GINA
>>about the failed login ? Will SSP tell GINA the
>>error message (KDC_ERR_PREAUTH_REQUIRED or
>>KDC_ERR_KEY_EXPIRED) or will SSP return another type
>>of error code or even a general error code (in this
>>case GINA is not aware of what caused the error) ?
>>2. who (GINA, LSA,...) logs the error to event
>>This might not be the right forum to discuss it, but
>>I'm not sure to which mailing list I can address
>>thank you,
> ------------------------------------------------------------------------------------
>>La vie, voyez-vous, ca n'est jamais si bon ni si
>>mauvais qu'on croit
>>                   - Guy de Maupassant -
> ------------------------------------------------------------------------------------
>>Do you Yahoo!?
>>Yahoo! Mail Address AutoComplete - You start. We
> =====
> ------------------------------------------------------------------------------------ 
> La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
>                                                                         - Guy de Maupassant -
> ------------------------------------------------------------------------------------
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
> http://promotions.yahoo.com/new_mail 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu

More information about the Kerberos mailing list