Different error codes between AD KDC and MIT KDC

Jeffrey Altman jaltman2 at nyc.rr.com
Mon Jun 19 08:42:06 EDT 2006

Mike Friedman wrote:
> I've been testing some Kerberos authentication code against both my MIT K5 
> KDC and a Windows Active Directory KDC.  In both cases, I'm using 
> pre-authentication.  However, when I enter an incorrect password, the MIT 
> KDC returns 31 (decrypt integrity check failure), whereas the AD KDC 
> returns 24 (preauth failure).  I'm just wondering what might account for 
> the different responses.
> In fact, this behavior doesn't cause me any problems, since I treat both 
> as meaning that an incorrect password was entered.
> Is this just a difference in the way the two KDC implementations define 
> the meaning of the return codes?  Or might there be a difference in the 
> way the principals are defined in the two KDCs?

It is a difference is the way the RFC 4120 was interpreted.  Microsoft
read section 3.1.3 to indicate that only KDC_ERR_PREAUTH_FAILED may be
returned if the pre-authentication check fails.  MIT has historically
provided the more specific error when the failure condition when the
known key fails to decrypt the request.

Jeffrey Altman

More information about the Kerberos mailing list