• Comments 2
  • Likes

         I often seen network admins look at a network trace and say we have a lot of authentication failures and point to the error – KDC_ERR_PREAUTH_REQUIRED. I have spent time educating on why this is not an authentication failure but instead the default behavior. The KDC (Key Distribution Center) requires all accounts to use pre-authentication. However, pre-authentication can be disabled for individual accounts when necessary for compatibility with other implementations of the protocol.

How to disable pre-authentication?

If the box “Do not require Kerberos pre-authentication” was checked on the user account properties then we would never see the error “KDC_ERR_PREAUTH_REQUIRED” message in a trace. 


 Let us look at the initial user authentication process using network traces.




The above Frame shows you an AS_Request being sent to the domain controller - from Client machine As you observe there is nothing sent along with PaData.

As a result the DC replies with the below error in the below frame – KDC_ERR_PREAUTH_REQUIRED.




So the client then sends the AS_REQUEST again with the pre-authentication data as show in the below frame. – KrbEncTimestamp: Encrypted Time Stamp Pre-Authentication.





As see above the KDC_ERR_PREAUTH_REQUIRED is not exactly an authentication failure. If the Kerberos authentication fails (for example bad password) then you would see “KDC_ERR_PREAUTH_FAILED” in the trace as shown below.



Below is the error you will see in a trace when Authentication fails for the user – Now it’s time you investigate. J

Enable Auditing, and Kerberos logging if required.




 I hope its better understood now and there is enough clarity now when you look at network captures that shows KDC_ERR_PREAUTH_REQUIRED & KDC_ERR_PREAUTH_FAILED frames in network traces.

  • That makes sense!! Thanks!

  • Thanks for sharing valuable information.

    As per FRAME 1, lsass.exe process is AS_REQ with preauth data. How can i set the same i.e. force a client system not to send the preauth data to a discovered d.c. ?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment