KDC_ERR_PREAUTH_REQUIRED vs. KDC_ERR_PREAUTH_FAILED

         I often seen network admins look at a network trace and say we have a lot of authentication failures and point to the error – KDC_ERR_PREAUTH_REQUIRED. I have spent time educating on why this is not an authentication failure but instead the default behavior. The KDC (Key Distribution Center) requires all accounts to use pre-authentication. However, pre-authentication can be disabled for individual accounts when necessary for compatibility with other implementations of the protocol.

How to disable pre-authentication?

If the box “Do not require Kerberos pre-authentication” was checked on the user account properties then we would never see the error “KDC_ERR_PREAUTH_REQUIRED” message in a trace.

 Let us look at the initial user authentication process using network traces.

FRAME 1:

The above Frame shows you an AS_Request being sent to the domain controller - 192.168.1.25 from Client machine 192.168.1.25. As you observe there is nothing sent along with PaData.

As a result the DC replies with the below error in the below frame – KDC_ERR_PREAUTH_REQUIRED.

FRAME 2:

So the client then sends the AS_REQUEST again with the pre-authentication data as show in the below frame. – KrbEncTimestamp: Encrypted Time Stamp Pre-Authentication.

FRAME 3:

FRAME 4:

As see above the KDC_ERR_PREAUTH_REQUIRED is not exactly an authentication failure. If the Kerberos authentication fails (for example bad password) then you would see “KDC_ERR_PREAUTH_FAILED” in the trace as shown below.

FRAME 5:

Below is the error you will see in a trace when Authentication fails for the user – Now it’s time you investigate. J

Enable Auditing, and Kerberos logging if required.

 I hope its better understood now and there is enough clarity now when you look at network captures that shows KDC_ERR_PREAUTH_REQUIRED & KDC_ERR_PREAUTH_FAILED frames in network traces.