I often seen network admins look at a network trace and say we have a lot of authentication failures and point to the error – KDC_ERR_PREAUTH_REQUIRED. I have spent time educating on why this is not an authentication failure but instead the default behavior. The KDC (Key Distribution Center) requires all accounts to use pre-authentication. However, pre-authentication can be disabled for individual accounts when necessary for compatibility with other implementations of the protocol.
How to disable pre-authentication?
If the box “Do not require Kerberos pre-authentication” was checked on the user account properties then we would never see the error “KDC_ERR_PREAUTH_REQUIRED” message in a trace.
Let us look at the initial user authentication process using network traces.
The above Frame shows you an AS_Request being sent to the domain controller - 192.168.1.25 from Client machine 192.168.1.25. As you observe there is nothing sent along with PaData.
As a result the DC replies with the below error in the below frame – KDC_ERR_PREAUTH_REQUIRED.
So the client then sends the AS_REQUEST again with the pre-authentication data as show in the below frame. – KrbEncTimestamp: Encrypted Time Stamp Pre-Authentication.
As see above the KDC_ERR_PREAUTH_REQUIRED is not exactly an authentication failure. If the Kerberos authentication fails (for example bad password) then you would see “KDC_ERR_PREAUTH_FAILED” in the trace as shown below.
Below is the error you will see in a trace when Authentication fails for the user – Now it’s time you investigate. J
Enable Auditing, and Kerberos logging if required.
I hope its better understood now and there is enough clarity now when you look at network captures that shows KDC_ERR_PREAUTH_REQUIRED & KDC_ERR_PREAUTH_FAILED frames in network traces.
That makes sense!! Thanks!
Thanks for sharing valuable information.
As per FRAME 1, lsass.exe process is AS_REQ with preauth data. How can i set the same i.e. force a client system not to send the preauth data to a discovered d.c. ?
@Harmandeep - The Frame 1 shows that the client does not send pre-auth data ( KrnEncTimeStamp ) by default and in fram 3 it sends the pre-auth since it receievd pre-auth required from DC ( Frame 2 ).
@Harmandeep - If you were asking how you can still get a TGT without sending pre-auth data. You will have to go to the user properties and check the box that says Do not require Kerberos pre-authentication. But remember this can break some applications
like Citrix which does not support it in their XenCenter and XenServer.
Quick search one line will take you to
Active Directory Stops Working When Kerberos Pre-Authentication Disabled
Thats great, super explanation!