[Freeipa-users] krb5kdc Additional pre-authentication required
Dmitri Pal
dpal at redhat.com
Thu Oct 3 21:05:36 UTC 2013
On 09/30/2013 10:59 PM, Mohan Cheema wrote:
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
>> bounces at redhat.com] On Behalf Of Sumit Bose
>> Sent: Monday, September 30, 2013 3:47 PM
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication
>> required
>>
>> On Mon, Sep 30, 2013 at 03:20:46PM +0100, Mohan Cheema wrote:
>>> Hi,
>>>
>>>
>>>
>>> We are trying to authenticate from Windows machine and getting below
>> error.
>>>
>>>
>>> --------------------
>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7
>> etypes {18
>>> 17 23 3 1 24 -135}) 10.43.2.45: NEEDED_PREAUTH: user at DOMAIN.COM for
>>> krbtgt/DOMAIN.COM at DOMAIN.COM, Additional pre-authentication required
>> This is expected behaviour. The client will first send the AS-REQ
>> without any pre-authentication data. If the server requires
>> pre-authentication for this principal it will return this error to the
>> client to indicate that pre-authentication is expected.
>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7
>> etypes {18
>>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes
>> {rep=18
>>> tkt=18 ses=18}, user at DOMAIN.COM for krbtgt/DOMAIN.COM at DOMAIN.COM
>> In the second AS-REQ the client has included some pre-authentication
>> data which is accepted by the KDC and a ticket is issued to the client.
>>
>> HTH
>>
>> bye,
>> Sumit
>>
>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): TGS_REQ (7
>> etypes {18
>>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes
>> {rep=18
>>> tkt=23 ses=23}, user at DOMAIN.COM for host/av.domain.com at DOMAIN.COM
>>> --------------------
>>>
>>>
>>>
>>> We followed the instruction to integrate windows for authentication.
>>>
>>>
>>>
>>> Windows Client: Windows server 2008 R2
>>>
>>>
>>>
>>> We are not able to figure out what the problem is.
>>>
>>>
>>>
>>> We are not using DNS server, instead we are using host file entries.
>> DNS
>>> server setup is not an option for us right now.
>>>
>>>
>>>
>>> Same user can authenticate from Linux machine.
>>>
>>>
>>>
>>> Regards,
>>>
>>>
>>>
>>> Mohan Cheema
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
> Thanks for the info Sumit.
>
> However, if ticket is issued user should be able to login to system. Instead
> on Windows we are getting "user name or password is incorrect". Are there
> any other setting that needs to be done so that user can login to system.
This thread seems to have no follow up.
Was the problem solved?
AFAIR for Windows system to allow the authentication one really needs to
map user to a local user.
There were some instructions in the HOWTO section of the IPA wiki.
Have you checked them?
>
> Regards,
>
> Mohan
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list