https://community.cisco.com/t5/network-access-control/kerberos-pre-authentication-issues-why-now/m-p/1321661#M348059 <HTML><HEAD></HEAD><BODY><P>Hi Steve,</P><P></P><P><SPAN class="content">Pre-authentication on the Active Directory (AD) should be disabled or it can lead to user authentication failure.</SPAN></P><P></P><P>You can check the kerberos authentication example for the same.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml</A></P><P></P><P>HTH</P><P></P><P>JK</P><P></P><P>Plz rate helpful posts-</P></BODY></HTML> Fri, 04 Dec 2009 17:43:45 GMT Jatin Katyal 2009-12-04T17:43:45Z https://community.cisco.com/t5/network-access-control/kerberos-pre-authentication-issues-why-now/m-p/1321660#M347965 <P>Hi all,</P><P></P><P>We recently put up a new Windows 2003 Active Directory domain controller to replace a de-commissioned Windows 2000 DC.&nbsp; When my VPN users try to authenticate to it using Kerberos, they are getting rejected with a pre-authentication failed error.&nbsp; I know that this is a common issue with the ASA, and TAC has confirmed that there's no solution for it yet.&nbsp; However, we have another W2K3 DC that has never had this issue.&nbsp; So why now?&nbsp; Why this new DC?&nbsp; What's the difference between my DCs where one can authenticate a user with pre-authentication enabled and one can't?</P><P></P><P>Any help or information that I can get would be helpful.</P><P></P><P>Thanks,</P><P>- Steve</P> Sun, 10 Mar 2019 23:50:00 GMT https://community.cisco.com/t5/network-access-control/kerberos-pre-authentication-issues-why-now/m-p/1321660#M347965 rstevek 2019-03-10T23:50:00Z https://community.cisco.com/t5/network-access-control/kerberos-pre-authentication-issues-why-now/m-p/1321661#M348059 <HTML><HEAD></HEAD><BODY><P>Hi Steve,</P><P></P><P><SPAN class="content">Pre-authentication on the Active Directory (AD) should be disabled or it can lead to user authentication failure.</SPAN></P><P></P><P>You can check the kerberos authentication example for the same.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml</A></P><P></P><P>HTH</P><P></P><P>JK</P><P></P><P>Plz rate helpful posts-</P></BODY></HTML> Fri, 04 Dec 2009 17:43:45 GMT https://community.cisco.com/t5/network-access-control/kerberos-pre-authentication-issues-why-now/m-p/1321661#M348059 Jatin Katyal 2009-12-04T17:43:45Z https://community.cisco.com/t5/network-access-control/kerberos-pre-authentication-issues-why-now/m-p/1321662#M348137 <HTML><HEAD></HEAD><BODY><P>Hi JK,</P><P></P><P>Thanks for the reply. </P><P></P><P>Right, I understand that, and TAC directed me to the same document.&nbsp; But we have an existing domain controller that we are currently using the authenicate against; pre-authentication is enabled, and it works fine.&nbsp; It's only the NEW domain controller that has this problem.&nbsp; So I'm trying to figure out what the difference is!</P><P></P><P>I would rather NOT disable pre-authentication for all VPN users if possible - there are a lot of them and it lessens the security of Active Directory.</P><P></P><P>Thanks,</P><P>- Steve</P></BODY></HTML> Fri, 04 Dec 2009 18:12:23 GMT https://community.cisco.com/t5/network-access-control/kerberos-pre-authentication-issues-why-now/m-p/1321662#M348137 rstevek 2009-12-04T18:12:23Z https://community.cisco.com/t5/network-access-control/kerberos-pre-authentication-issues-why-now/m-p/5246435#M594170 <P>Sorry to revive a really ancient post, but did you ever figure this out?&nbsp; We're finding that Apple Mac users get their AD account locked after connecting to VPN and a Kerberos pre-auth event occurs.</P> Mon, 13 Jan 2025 13:26:07 GMT https://community.cisco.com/t5/network-access-control/kerberos-pre-authentication-issues-why-now/m-p/5246435#M594170 Scott Wertz 2025-01-13T13:26:07Z