Kerberos pre-authentication issues - why now?

rstevek · ‎12-04-2009

Hi all,

We recently put up a new Windows 2003 Active Directory domain controller to replace a de-commissioned Windows 2000 DC. When my VPN users try to authenticate to it using Kerberos, they are getting rejected with a pre-authentication failed error. I know that this is a common issue with the ASA, and TAC has confirmed that there's no solution for it yet. However, we have another W2K3 DC that has never had this issue. So why now? Why this new DC? What's the difference between my DCs where one can authenticate a user with pre-authentication enabled and one can't?

Any help or information that I can get would be helpful.

Thanks,

- Steve

Jatin Katyal · ‎12-04-2009

Hi Steve,

Pre-authentication on the Active Directory (AD) should be disabled or it can lead to user authentication failure.

You can check the kerberos authentication example for the same.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml

HTH

JK

Plz rate helpful posts-

~Jatin

rstevek · ‎12-04-2009

Hi JK,

Thanks for the reply.

Right, I understand that, and TAC directed me to the same document. But we have an existing domain controller that we are currently using the authenicate against; pre-authentication is enabled, and it works fine. It's only the NEW domain controller that has this problem. So I'm trying to figure out what the difference is!

I would rather NOT disable pre-authentication for all VPN users if possible - there are a lot of them and it lessens the security of Active Directory.

Thanks,

- Steve

Scott Wertz · ‎01-13-2025

Sorry to revive a really ancient post, but did you ever figure this out? We're finding that Apple Mac users get their AD account locked after connecting to VPN and a Kerberos pre-auth event occurs.