[Freeipa-users] krb5kdc Additional pre-authentication required

[Sumit Bose]

On Mon, Sep 30, 2013 at 03:20:46PM +0100, Mohan Cheema wrote:
> Hi,
> 
>  
> 
> We are trying to authenticate from Windows machine and getting below error.
> 
>  
> 
> --------------------
> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 etypes {18
> 17 23 3 1 24 -135}) 10.43.2.45: NEEDED_PREAUTH: user at DOMAIN.COM for
> krbtgt/DOMAIN.COM at DOMAIN.COM, Additional pre-authentication required

This is expected behaviour. The client will first send the AS-REQ
without any pre-authentication data. If the server requires
pre-authentication for this principal it will return this error to the
client to indicate that pre-authentication is expected.
> 
> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 etypes {18
> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes {rep=18
> tkt=18 ses=18}, user at DOMAIN.COM for krbtgt/DOMAIN.COM at DOMAIN.COM

In the second AS-REQ the client has included some pre-authentication
data which is accepted by the KDC and a ticket is issued to the client.

HTH

bye,
Sumit

> 
> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): TGS_REQ (7 etypes {18
> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes {rep=18
> tkt=23 ses=23}, user at DOMAIN.COM for host/av.domain.com at DOMAIN.COM
> --------------------
> 
> 
> 
> We followed the instruction to integrate windows for authentication.
> 
>  
> 
> Windows Client: Windows server 2008 R2
> 
>  
> 
> We are not able to figure out what the problem is.
> 
>  
> 
> We are not using DNS server, instead we are using host file entries. DNS
> server setup is not an option for us right now.
> 
>  
> 
> Same user can authenticate from Linux machine.
> 
>  
> 
> Regards,
> 
>  
> 
> Mohan Cheema
> 
>  
> 

> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users