Kerberos-password failure message?

Douglas E. Engert deengert at anl.gov
Mon Jan 23 10:58:49 EST 2006 


Surendra Babu A wrote:

> Hi Kerberos Team,
> 
> This regarding Kerberos Authentication issue. If we enter the wrong password at the client side and 
 > connect with the KDC, KDc returns PREAUTH_REQUIRED/PREAUTH_FAILURE error. Right?
> 


> In waht case, KDC gives password failure error if we neter wrong password at the 
 > Kerberos client side? How to disctinguish the Passowrd failure error and pre-auth error?
 > Any thoughs on the same will be appreciated very well.
> 

It has to do with what pre-uth data the client sends in the request. If it sends
nothing, then the KDC assumes the client is asking what preauth is needed.

If it sends something, it assumes it has already told the client what to use, and if
the client sends it the wrong data or encrypted in the wrong key, it is a failure.

We ran into something similar with Java that is fixed in 1.6 where they assumed they
knew the correct salt and they skipped the first request.

See:
  "Generalized Framework for Kerberos Pre-Authentication"
http://www.ietf.org/internet-drafts/draft-ietf-krb-wg-preauth-framework-02.txt

I think it clarifies all the questions you have. In section 2:

    "when a Kerberos client wishes to obtain a ticket using the
     authentication server, it sends an initial AS request.  If
     pre-authentication is being used, then the KDC will respond with a
     KDC_ERR_PREAUTH_REQUIRED error.  Alternatively, if the client knows
     what pre-authentication to use, it MAY optimize a round-trip and send
     an initial request with padata included.  If the client includes the
     wrong padata, the server MAY return KDC_ERR_PREAUTH_FAILED with no
     indication of what padata should have been included.  For
     interoperability reasons, clients that include optimistic
     pre-authentication MUST retry with no padata and examine the
     KDC_ERR_PREAUTH_REQUIRED if they receive a KDC_ERR_PREAUTH_FAILED in
     response to their initial optimistic request."


> Thank you,
> -Surendra
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list