Showing results for 
Search instead for 
Did you mean: 

Kerberos authentication (T-shoot) between the ASA and Windows Active Directory Server





    Kerberos authentication does not work between the ASA and Windows Active Directory Server

    What is Kerberos Authentication?

    The Kerberos authentication system is built on top of tickets (sometimes also called credentials). The core idea behind Kerberos is that you don't hand out your account password to each service you want to use. Instead, you keep all of your tickets on your local system and only show each service a ticket specifically for that service, one that can't be used for any other purpose.

    When you first start using your system (when you log in to Kerberos for Windows or Kerberos for Macintosh, or when you run kinit on a UNIX system), you use your password to get a master ticket called a TGT (ticket-granting ticket). This master ticket expires in 25 hours, after which you will need to enter your password again to get another one.

    Whenever you go to a service that uses Kerberos, you show that master ticket to the Kerberos server and get a ticket specifically for that service. Then, you show the ticket just for that service to the service to prove who you are. All of those tickets are stored on your local system in what is called a ticket cache.

    Using your password is like using a birth certificate, citizenship, or immigration papers to prove who you are. It's annoying to have to type, not well-protected against forgery, and contains all the information required to steal your identity. You don't want to present those papers every time someone needs to identify you. Instead, you use those papers to get an identification card (a passport, a driver's license, a state ID card, or a Stanford ID card). That ID card is like a Kerberos TGT. It is still very powerful, but it's more convenient and has better anti-forgery protection. You can then use that ID card to prove your identity and get other identifiers indented for specific situations: a movie ticket or a pre-paid phone card, for example. Single-purpose identifiers like movie tickets are similar to Kerberos service tickets.

    The obvious advantage of this system is that each service gets only the ticket for that service. You don't hand over your ID card, and therefore the service doesn't have an opportunity to grab your ID card and use it to impersonate you. Used as designed, Kerberos not only protects against someone trying to access your mail or your files directly. It also protects against someone pretending to be your mail server to steal your identity and use it somewhere else.

    Core issues and Resolutions

    [ 1.] One of the possible reasons for this issue to arise is due to the difference in clocks between the Adaptive Security Appliance (ASA) and the Active Directory (AD) server. While executing test command from the ASA, you will see an error : ERROR: Authentication Rejected: Clock skew greater than 300 seconds . In order to ensure that Kerberos authentication works efficiently, make  sure the clock settings on the ASA and the AD server are the same and  that they synchronize properly.

    [ 2.] A realm is where the kerberos database is stored. The Kerberos realm name is case sensitive. The realm name is always the all uppercase version of the domain name. Please ensure you type kerberos-realm in upper case REALM.CISCO.COM. In case it is in lower case, the test command will fail.

    aaa-server KERBEROS protocol kerberos
    aaa-server KERBEROS (inside) host x.x.x.x
    kerberos-realm REALM.CISCO.COM

    [ 3.] Login for a couple of users is not working when authenticating against kerberos. In order to troubleshoot you may run "debug kerberos 127" to see the error message. You will come across the below listed error:

    Attempting to parse error response from kerberos server. Kerberos library reports: "Preauthentication failed"

    In majority of cases, it occurs when we have windows 2008 in place.

    Resolution: We have to disable the preauthentication to make it work.

    Open the program for user management and check the user properties.

    User properties---> Account Tab ---> Account Options

    [x]Do not require Kerberos pre-authentication

    Please note that ASA does support Kerberos pre-authentication, so that disabling pre-authentication is not usually needed to make things work. Disabling pre-authentication just makes Kerberos packets smaller and they may fit within the default 1465 bytes windows UDP limit. If a user is a member of too many AD groups the authentication will still fail.

    [ 4.] If you don't see any response while verifying the config using test command. Please ensure we have TCP/UDP 88 port open. In windows 2008, there are few s/w based firewalls. Just make sure they are not preventing it to connect.

    known issues

    CSCsi32224 - ASA does not switch to TCP upon receiving Kerberos error code 52

    CSCtd92673 - Kerberos authentication fails with pre-auth enabled

    NOTE: Kerberos doesn't support authorization.


    •     test aaa authentication <server-group> host <server-ip-add> username <username> password <password> - will authenticate user against kerberos
    •     show run aaa-server - to look at the server configuration
    •     show run dns - ensure that the DNS resolution has the domain-name configured
    •     show clock - The time on the ASA needs to be in sync with the time on the domain controller within a 5 minute range
    •     debug kerberos 127 - enable kerberos debugs
    •     show aaa kerberos - show the kerberos transaction status

    On windows server 2008, to check time go to start | run | right click on it | run as an administrator | type "time" - will show you the current time and give you option to change it as well hit return if you don't need any changes.

    Use the TAC Service Request Tool in order to open a case with Cisco Technical Support to further troubleshoot this issue.