I often seen network admins look at a network trace and say we have a lot of authentication failures and point to the error – KDC_ERR_PREAUTH_REQUIRED. I have spent time educating on why this is not an authentication failure but instead the default behavior. The KDC (Key Distribution Center) requires all accounts to use pre-authentication. However, pre-authentication can be disabled for individual accounts when necessary for compatibility with other implementations of the protocol.
How to disable pre-authentication?
If the box “Do not require Kerberos pre-authentication” was checked on the user account properties then we would never see the error “KDC_ERR_PREAUTH_REQUIRED” message in a trace.
Let us look at the initial user authentication process using network traces.
The above Frame shows you an AS_Request being sent to the domain controller - 192.168.1.25 from Client machine 192.168.1.25. As you observe there is nothing sent along with PaData.
As a result the DC replies with the below error in the below frame – KDC_ERR_PREAUTH_REQUIRED.
So the client then sends the AS_REQUEST again with the pre-authentication data as show in the below frame. – KrbEncTimestamp: Encrypted Time Stamp Pre-Authentication.
As see above the KDC_ERR_PREAUTH_REQUIRED is not exactly an authentication failure. If the Kerberos authentication fails (for example bad password) then you would see “KDC_ERR_PREAUTH_FAILED” in the trace as shown below.
Below is the error you will see in a trace when Authentication fails for the user – Now it’s time you investigate. J
Enable Auditing, and Kerberos logging if required.
I hope its better understood now and there is enough clarity now when you look at network captures that shows KDC_ERR_PREAUTH_REQUIRED & KDC_ERR_PREAUTH_FAILED frames in network traces.
That makes sense!! Thanks!
Thanks for sharing valuable information.
As per FRAME 1, lsass.exe process is AS_REQ with preauth data. How can i set the same i.e. force a client system not to send the preauth data to a discovered d.c. ?