Kerberos-password failure message? - Kerberos

This is a discussion on Kerberos-password failure message? - Kerberos ; Hi Kerberos Team, This regarding Kerberos Authentication issue. If we enter the wrong password at the client side and connect with the KDC, KDc returns PREAUTH_REQUIRED/PREAUTH_FAILURE error. Right? In waht case, KDC gives password failure error if we neter wrong ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Kerberos-password failure message?

  1. Kerberos-password failure message?

    Hi Kerberos Team,

    This regarding Kerberos Authentication issue. If we enter the wrong password at the client side and connect with the KDC, KDc returns PREAUTH_REQUIRED/PREAUTH_FAILURE error. Right?

    In waht case, KDC gives password failure error if we neter wrong password at the Kerberos client side? How to disctinguish the Passowrd failure error and pre-auth error? Any thoughs on the same will be appreciated very well.

    Thank you,
    -Surendra
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Kerberos-password failure message?



    Surendra Babu A wrote:

    > Hi Kerberos Team,
    >
    > This regarding Kerberos Authentication issue. If we enter the wrong password at the client side and
    > connect with the KDC, KDc returns PREAUTH_REQUIRED/PREAUTH_FAILURE error. Right?
    >



    > In waht case, KDC gives password failure error if we neter wrong password at the
    > Kerberos client side? How to disctinguish the Passowrd failure error and pre-auth error?
    > Any thoughs on the same will be appreciated very well.
    >


    It has to do with what pre-uth data the client sends in the request. If it sends
    nothing, then the KDC assumes the client is asking what preauth is needed.

    If it sends something, it assumes it has already told the client what to use, and if
    the client sends it the wrong data or encrypted in the wrong key, it is a failure.

    We ran into something similar with Java that is fixed in 1.6 where they assumed they
    knew the correct salt and they skipped the first request.

    See:
    "Generalized Framework for Kerberos Pre-Authentication"
    http://www.ietf.org/internet-drafts/...amework-02.txt

    I think it clarifies all the questions you have. In section 2:

    "when a Kerberos client wishes to obtain a ticket using the
    authentication server, it sends an initial AS request. If
    pre-authentication is being used, then the KDC will respond with a
    KDC_ERR_PREAUTH_REQUIRED error. Alternatively, if the client knows
    what pre-authentication to use, it MAY optimize a round-trip and send
    an initial request with padata included. If the client includes the
    wrong padata, the server MAY return KDC_ERR_PREAUTH_FAILED with no
    indication of what padata should have been included. For
    interoperability reasons, clients that include optimistic
    pre-authentication MUST retry with no padata and examine the
    KDC_ERR_PREAUTH_REQUIRED if they receive a KDC_ERR_PREAUTH_FAILED in
    response to their initial optimistic request."


    > Thank you,
    > -Surendra
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread