[Freeipa-users] krb5kdc Additional pre-authentication required
Sumit Bose
sbose at redhat.com
Mon Sep 30 14:46:59 UTC 2013
On Mon, Sep 30, 2013 at 03:20:46PM +0100, Mohan Cheema wrote:
> Hi,
>
>
>
> We are trying to authenticate from Windows machine and getting below error.
>
>
>
> --------------------
> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 etypes {18
> 17 23 3 1 24 -135}) 10.43.2.45: NEEDED_PREAUTH: user at DOMAIN.COM for
> krbtgt/DOMAIN.COM at DOMAIN.COM, Additional pre-authentication required
This is expected behaviour. The client will first send the AS-REQ
without any pre-authentication data. If the server requires
pre-authentication for this principal it will return this error to the
client to indicate that pre-authentication is expected.
>
> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 etypes {18
> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes {rep=18
> tkt=18 ses=18}, user at DOMAIN.COM for krbtgt/DOMAIN.COM at DOMAIN.COM
In the second AS-REQ the client has included some pre-authentication
data which is accepted by the KDC and a ticket is issued to the client.
HTH
bye,
Sumit
>
> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): TGS_REQ (7 etypes {18
> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes {rep=18
> tkt=23 ses=23}, user at DOMAIN.COM for host/av.domain.com at DOMAIN.COM
> --------------------
>
>
>
> We followed the instruction to integrate windows for authentication.
>
>
>
> Windows Client: Windows server 2008 R2
>
>
>
> We are not able to figure out what the problem is.
>
>
>
> We are not using DNS server, instead we are using host file entries. DNS
> server setup is not an option for us right now.
>
>
>
> Same user can authenticate from Linux machine.
>
>
>
> Regards,
>
>
>
> Mohan Cheema
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-users
mailing list