Number of attempts for pre-auth requests after failure

[Bhat, Anita]

Hello,

 

I'm trying to get a Juniper IVE (VPN SSL) box working with Kerberos
pre-authentication and a Windows AD domain.  We are having account
lockout problems.  

 

After looking at the network traffic, it seems that if someone enters a
wrong password, the Juniper box, when trying to authenticate with
pre-authorization, sends another AS request to the same KDC after
receiving a pre-auth failed message from the server.  This causes two
failed log-in attempts to be logged for the particular Windows account,
even though the user thinks he only tried once.

 

>From what I can understand, the Juniper box should first try the master
KDC and then the slave KDC (the juniper box has the address of two DCs
configured), but not the same one twice.  I've looked everywhere
(including this list) about how many times a client should try to
pre-authenticate after it receives an error message and I just can't
find the info.

 

Can someone tell me if this is normal behavior or if I should contact
Juniper to tell them they have a bug?

 

Thanks,

 

Anita