none
KRB5KDC_ERR_PREAUTH_REQUIRED

    Question

  • Does anyone know what the Kerberos error KRB5KDC_ERR_PREAUTH_REQUIRED is all about?  Using Wireshark I see I am receiving this error. I can still log on so I have been able to ignore this, but I would like to know how to fix the issue.  I see:

    padata: PA-ENCTYPE-INFO PA-ENC-TIMESTAMP PA-PK-AS-REP all have values = <missing>

    CAN ANYONE HELP?!?!?

    Thank you.

    TG23

    Tuesday, June 23, 2009 1:33 PM

Answers

  • As far as I understand, that's part of the standard Kerberos authentication process, which takes place prior to granting TGT. You can find out some of its gory details at http://msdn.microsoft.com/en-us/library/cc239727(PROT.10).aspx

    hth
    Marcin
    • Marked as answer by Test Guy 23 Thursday, June 25, 2009 4:48 PM
    Tuesday, June 23, 2009 1:55 PM
  • Hi,

    Based on your description, it seems normal:

    "0x19 (KDC_ERR_PREAUTH_REQUIRED) "Additional pre-authentication"

    The client did not send pre-authorization, or did not send the appropriate type of pre-authorization, to receive a ticket. The client will retry with the appropriate kind of pre-authorization (the KDC returns the pre-authentication type in the error). Many Kerberos implementations will start off without preauthenticated data and only add it in a subsequent request when it sees this error. In this case, this error can safely be ignored."

    For more information, please refer to the following article:
    Description of Common Kerberos-Related Errors in Windows 2000
    http://support.microsoft.com/kb/230476

    An error code is returned when a Kerberos client requests a TGT against a Windows Server 2008-based domain controller: "KERB5KDC_ERR_C_PRINICPAL_UNKNOWN"
    http://support.microsoft.com/kb/951191

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Test Guy 23 Thursday, June 25, 2009 4:49 PM
    • Unmarked as answer by Test Guy 23 Thursday, June 25, 2009 4:49 PM
    • Marked as answer by Test Guy 23 Thursday, June 25, 2009 4:49 PM
    Wednesday, June 24, 2009 7:54 AM

All replies

  • As far as I understand, that's part of the standard Kerberos authentication process, which takes place prior to granting TGT. You can find out some of its gory details at http://msdn.microsoft.com/en-us/library/cc239727(PROT.10).aspx

    hth
    Marcin
    • Marked as answer by Test Guy 23 Thursday, June 25, 2009 4:48 PM
    Tuesday, June 23, 2009 1:55 PM
  • Hello,

    check also "Windows Network Monitoring and Protocol Analysis Tools" in:
    http://technet.microsoft.com/en-us/library/bb463168.aspx
    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, June 23, 2009 4:43 PM
  • Hi,

    Based on your description, it seems normal:

    "0x19 (KDC_ERR_PREAUTH_REQUIRED) "Additional pre-authentication"

    The client did not send pre-authorization, or did not send the appropriate type of pre-authorization, to receive a ticket. The client will retry with the appropriate kind of pre-authorization (the KDC returns the pre-authentication type in the error). Many Kerberos implementations will start off without preauthenticated data and only add it in a subsequent request when it sees this error. In this case, this error can safely be ignored."

    For more information, please refer to the following article:
    Description of Common Kerberos-Related Errors in Windows 2000
    http://support.microsoft.com/kb/230476

    An error code is returned when a Kerberos client requests a TGT against a Windows Server 2008-based domain controller: "KERB5KDC_ERR_C_PRINICPAL_UNKNOWN"
    http://support.microsoft.com/kb/951191

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Test Guy 23 Thursday, June 25, 2009 4:49 PM
    • Unmarked as answer by Test Guy 23 Thursday, June 25, 2009 4:49 PM
    • Marked as answer by Test Guy 23 Thursday, June 25, 2009 4:49 PM
    Wednesday, June 24, 2009 7:54 AM