[Freeipa-users] krb5kdc Additional pre-authentication required
Mohan Cheema
mohan.cheema at arrkgroup.com
Tue Oct 1 02:59:17 UTC 2013
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> bounces at redhat.com] On Behalf Of Sumit Bose
> Sent: Monday, September 30, 2013 3:47 PM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication
> required
>
> On Mon, Sep 30, 2013 at 03:20:46PM +0100, Mohan Cheema wrote:
> > Hi,
> >
> >
> >
> > We are trying to authenticate from Windows machine and getting below
> error.
> >
> >
> >
> > --------------------
> > Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7
> etypes {18
> > 17 23 3 1 24 -135}) 10.43.2.45: NEEDED_PREAUTH: user at DOMAIN.COM for
> > krbtgt/DOMAIN.COM at DOMAIN.COM, Additional pre-authentication required
>
> This is expected behaviour. The client will first send the AS-REQ
> without any pre-authentication data. If the server requires
> pre-authentication for this principal it will return this error to the
> client to indicate that pre-authentication is expected.
> >
> > Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7
> etypes {18
> > 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes
> {rep=18
> > tkt=18 ses=18}, user at DOMAIN.COM for krbtgt/DOMAIN.COM at DOMAIN.COM
>
> In the second AS-REQ the client has included some pre-authentication
> data which is accepted by the KDC and a ticket is issued to the client.
>
> HTH
>
> bye,
> Sumit
>
> >
> > Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): TGS_REQ (7
> etypes {18
> > 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes
> {rep=18
> > tkt=23 ses=23}, user at DOMAIN.COM for host/av.domain.com at DOMAIN.COM
> > --------------------
> >
> >
> >
> > We followed the instruction to integrate windows for authentication.
> >
> >
> >
> > Windows Client: Windows server 2008 R2
> >
> >
> >
> > We are not able to figure out what the problem is.
> >
> >
> >
> > We are not using DNS server, instead we are using host file entries.
> DNS
> > server setup is not an option for us right now.
> >
> >
> >
> > Same user can authenticate from Linux machine.
> >
> >
> >
> > Regards,
> >
> >
> >
> > Mohan Cheema
> >
> >
> >
>
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
Thanks for the info Sumit.
However, if ticket is issued user should be able to login to system. Instead
on Windows we are getting "user name or password is incorrect". Are there
any other setting that needs to be done so that user can login to system.
Regards,
Mohan
More information about the Freeipa-users
mailing list