11-11-2008 09:14 AM - edited 03-10-2019 04:11 PM
Hi all,
I have a brand-new problem that just cropped up on my ASA. We are using Kerberos authentication for console, ASA, and ASDM access. When anyone tries to log in, our domain controller logs a Security Event ID 675 with failure code 0x19 (pre-authentication failed) and login is denied. (The ASA sends a SA-6-113005 syslog message out.)
On Friday I hard-booted the ASA and after it came back up, the problem was gone, so I chalked it up to gremlins. But now it's back! I'm totally stumped! I hope someone can help.
Thanks,
- Steve
11-17-2008 02:53 PM
Error Message - %PIX|ASA-6-113005: AAA user authentication Rejected: reason = string:
server = server_IP_address, User = user
Explanation - This is an indication that either an authentication or authorization request for a user associated with an IPSec or WebVPN connection has been rejected. Details of why the request was rejected are provided in the reason field. server_IP_address is the IP address of the relevant AAA server. user is the user name associated with the connection. aaa_operation is either authentication or authorization.
Check if Pre-authentication on the Active Directory (AD) is disabled or it can lead to user authentication failure.If its is not disabled please disable the same to avoid the errors.One frequent cause of authentication failure is clock skew. Be sure that the clocks on the PIX or ASA and your authentication server are synchronized.
11-18-2008 06:42 AM
Hi,
Thanks for the message. I opened a case with TAC a few days ago and was told that the symptoms I'm seeing are consistent with bug ID CSCsi32224. There's no workaround currently, but it goes away after a reboot for a while. In the meantime, I'm configured the ASA for local authentication instead.
Thanks,
- Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide