Using PREAUTH on the initial AS_REQ
Jack Neely
jjneely at ncsu.edu
Wed Sep 19 16:07:47 EDT 2012
Greetings,
I have a performance issue between my KDCs and our radius servers that
have very heavy authentication load. As our principles have PREAUTH
required there's much more RPC traffic to the KDCs than with PREAUTH
turned off. Combined with the kprop happening every 5 minutes our
radius servers sometimes encounter a 3 or 5 second delay, and with 600
requests a minute things quickly cascade.
How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.) Testing with a
principle that does not require PREAUTH shows a marked performance
increase.
Secondly, my KDCs are getting quite a few PREAUTH_FAILED error messages
which seems to indicate the client used an PREAUTH type the KDC did not
understand. Will setting preferred_preauth_types in krb5.conf to use
PA-ENC-TIMESTAMP first correct this? What's the right incantation?
Jack Neely
--
Jack Neely <jjneely at ncsu.edu>
Linux Czar, OIT Campus Linux Services
Office of Information Technology, NC State University
GPG Fingerprint: 1917 5AC1 E828 9337 7AA4 EA6B 213B 765F 3B6A 5B89
More information about the Kerberos
mailing list