Java Pre-auth for Windows 2003 mixed case revival

Douglas E. Engert deengert at
Thu Feb 10 15:25:46 EST 2005

Mike Chapel wrote:

>>The first problem is Java is sending the pa-enc-timestamp with the first
>>request. If it did not then you would get the (25) response. I think
>>that is the real solution.
>>The pseudo code on page 92 says:
>> if(client.pa_enc_timestamp_required and
>>           pa_enc_timestamp not present) then
>>                error_out(KDC_ERR_PREAUTH_REQUIRED(PA_ENC_TIMESTAMP));
>>        endif
>>>If so since I already send the as-req
>>>automatically with the pa-enc-timestamp, if I get the
>> Don't send any pre-auth in the first request.
> Thats sounds like a valid path to take. Of course
> pa_enc_timestamp_required would have to be a config set option that
> could be set to true or false. 

The KDC has the option to require pre-auth, and most sites require it.

> Some customers wouldn't want the
> performance hit of having to resend the as_req twice as workaround to
> comply with MS AD case name problem. 

The performance is negligible and only only occurs when the user
types in a password so it is hardly noticeable.

Since all other Kerberos clients that I have seen don't have this
client side option, If you add an option, please default it to false
and it will work everywhere.

In the future as PKINIT and /or other pre-auths are implemented, you
may have to send in the first request without any pre-auth just to find
out what the KDC will accept so you might as well do it now too.

> But I do agree that I could
> create a parameter pa_enc_timestamp_required = false then send the
> as_req without an preauth, then handle the (25) scenario. This won't
> fix the problem if they set it to "true". The problem would possibly
> still arise for MS AD , but workable solution for people using MS AD
> 2003.

False should work with any KDC.

> Thanks for the input.

We are looking forward to this fix.

> Michael W. Chapel
> Java Kerberos/JGSS Development
> IBM/Tivoli Java Security 
> Austin Texas


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list