Using PREAUTH on the initial AS_REQ
Jack Neely
jjneely at ncsu.edu
Thu Sep 20 15:09:22 EDT 2012
On Wed, Sep 19, 2012 at 04:07:47PM -0400, Jack Neely wrote:
> Greetings,
>
> I have a performance issue between my KDCs and our radius servers that
> have very heavy authentication load. As our principles have PREAUTH
> required there's much more RPC traffic to the KDCs than with PREAUTH
> turned off. Combined with the kprop happening every 5 minutes our
> radius servers sometimes encounter a 3 or 5 second delay, and with 600
> requests a minute things quickly cascade.
>
> How can I configure a RHEL 6 Kerberos client to use PREAUTH on the
> initial AS_REQ? (We are just using PA-ENC-TIMESTAMP.) Testing with a
> principle that does not require PREAUTH shows a marked performance
> increase.
>
> Secondly, my KDCs are getting quite a few PREAUTH_FAILED error messages
> which seems to indicate the client used an PREAUTH type the KDC did not
> understand. Will setting preferred_preauth_types in krb5.conf to use
> PA-ENC-TIMESTAMP first correct this? What's the right incantation?
>
Nothing like replying to your own email. A network capture has reveled
what's happening with the PREAUTH_FAILED error messages. My newer
clients (krb5 1.9 on RHEL 6) is sending an AS_REQ to my KDCs with a
preauthentication data of type PA-REQ-ENC-PA-REP (149).
My KDCs are RHEL 5 running krb5 1.6.1 and in this case return error code
KRB5KDC_ERR_PREAUTH_FAILED (24). At this point the client tries an
AS_REQ with either no preauth or PA-ENC-TIMESTAMP.
As my 1.6.1 KDC doesn't support the PA-REQ-ENC-PA-REP extension,
shouldn't it be ignoring the preauth data rather than returning an
error?
Jack Neely
--
Jack Neely <jjneely at ncsu.edu>
Linux Czar, OIT Campus Linux Services
Office of Information Technology, NC State University
GPG Fingerprint: 1917 5AC1 E828 9337 7AA4 EA6B 213B 765F 3B6A 5B89
More information about the Kerberos
mailing list