Kerbers Pre-Auth Problem

Douglas E. Engert deengert at anl.gov
Sat Jul 22 15:13:07 EDT 2006


Was the user's account or username changed since the last password
change? ANy upper case leters in the account name or principal?
AD is case insensitive, but Kerberos and the salt are not.

Is there any java involved? prior to 1.6 java had pre-auth problems.



Scott Moseman wrote:

> Security Event (Event ID 675) on an ADS...
> 
> Pre-authentication failed:
>   User Name:  jsmith
>   User ID:  DOMAIN\jsmith
>   Service Name:  krbtgt/DOMAIN.COM
>   Pre-Authentication Type:  0x0
>   Failure Code: 0x19
>   Client Address: 10.10.10.10
> 
> jsmith's account works fine in the domain, but from this particular
> client it's not working.  This client (actually a Cisco network device
> using Kerberbos) authenticates all of the other users ok.  Only jsmith
> has a problem, and only from this client.
> 
> I can enable the "Do not require pre-authentication" option under
> ActiveDirectory, and it works, but the fact that I need to do this (and
> only for one person) tells me there's a problem with something else on
> the network.
> 
> Reviewing RFC 1510, I think my failure code means
> KDC_ERR_SERVICE_REVOKED which translates to "Credentials for server
> have been revoked".  But it does not make sense to me that the server
> (well, the Cisco device) can still authenticate the other users just
> fine.
> 
> Thanks,
> Scott
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list