client not responding to KDC_ERR_PREAUTH_REQUIRED

Ben H bhendin at gmail.com
Mon Aug 18 12:56:32 EDT 2014


We have an application that is experiencing some issues when tickets expire.

We receive the KRB_AP_ERR_TKT_EXPIRED from the KDC and then attempt to re
initiate with AS-REQ.
After re-negotiating over TCP (KRB_ERR_RESPONSE_TOO_BIG), the application
receives the KDC_ERR_PREAUTH_REQUIRED from the KDC (A Windows 2008 DC).

At this point, the client ACKs the session and then properly closes it down
(FIN,ACK).  The problem is that the client never attempts to reissue an
AS-REQ with the PA-ENC-TIMESTAMP.

This does not occur all the time (like after a reboot), but in some cases
when it happens, the client simply can't renew its ticket.

I am simply trying to narrow this down to environmental factors, a kerberos
behavior, or simply an application bug.

I have never seen a client not respond to a KDC_ERR_PREAUTH_REQUIRED before
without some additional errors (like unsupported etype, etc.).

Can anyone help account for this behavior?

Thanks!


More information about the Kerberos mailing list