Kerbers Pre-Auth Problem - Kerberos

This is a discussion on Kerbers Pre-Auth Problem - Kerberos ; Security Event (Event ID 675) on an ADS... Pre-authentication failed: User Name: jsmith User ID: DOMAIN\jsmith Service Name: krbtgt/DOMAIN.COM Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.10.10.10 jsmith's account works fine in the domain, but from this particular client ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Kerbers Pre-Auth Problem

  1. Kerbers Pre-Auth Problem


    Security Event (Event ID 675) on an ADS...

    Pre-authentication failed:
    User Name: jsmith
    User ID: DOMAIN\jsmith
    Service Name: krbtgt/DOMAIN.COM
    Pre-Authentication Type: 0x0
    Failure Code: 0x19
    Client Address: 10.10.10.10

    jsmith's account works fine in the domain, but from this particular
    client it's not working. This client (actually a Cisco network device
    using Kerberbos) authenticates all of the other users ok. Only jsmith
    has a problem, and only from this client.

    I can enable the "Do not require pre-authentication" option under
    ActiveDirectory, and it works, but the fact that I need to do this (and
    only for one person) tells me there's a problem with something else on
    the network.

    Reviewing RFC 1510, I think my failure code means
    KDC_ERR_SERVICE_REVOKED which translates to "Credentials for server
    have been revoked". But it does not make sense to me that the server
    (well, the Cisco device) can still authenticate the other users just
    fine.

    Thanks,
    Scott


  2. Re: Kerbers Pre-Auth Problem

    Was the user's account or username changed since the last password
    change? ANy upper case leters in the account name or principal?
    AD is case insensitive, but Kerberos and the salt are not.

    Is there any java involved? prior to 1.6 java had pre-auth problems.



    Scott Moseman wrote:

    > Security Event (Event ID 675) on an ADS...
    >
    > Pre-authentication failed:
    > User Name: jsmith
    > User ID: DOMAIN\jsmith
    > Service Name: krbtgt/DOMAIN.COM
    > Pre-Authentication Type: 0x0
    > Failure Code: 0x19
    > Client Address: 10.10.10.10
    >
    > jsmith's account works fine in the domain, but from this particular
    > client it's not working. This client (actually a Cisco network device
    > using Kerberbos) authenticates all of the other users ok. Only jsmith
    > has a problem, and only from this client.
    >
    > I can enable the "Do not require pre-authentication" option under
    > ActiveDirectory, and it works, but the fact that I need to do this (and
    > only for one person) tells me there's a problem with something else on
    > the network.
    >
    > Reviewing RFC 1510, I think my failure code means
    > KDC_ERR_SERVICE_REVOKED which translates to "Credentials for server
    > have been revoked". But it does not make sense to me that the server
    > (well, the Cisco device) can still authenticate the other users just
    > fine.
    >
    > Thanks,
    > Scott
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread