On Mon, Sep 30, 2013 at 03:20:46PM +0100, Mohan Cheema wrote: > Hi, > > > > We are trying to authenticate from Windows machine and getting below error. > > > > -------------------- > Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 etypes {18 > 17 23 3 1 24 -135}) 10.43.2.45: NEEDED_PREAUTH: u...@domain.com for > krbtgt/domain....@domain.com, Additional pre-authentication required
This is expected behaviour. The client will first send the AS-REQ without any pre-authentication data. If the server requires pre-authentication for this principal it will return this error to the client to indicate that pre-authentication is expected. > > Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7 etypes {18 > 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes {rep=18 > tkt=18 ses=18}, u...@domain.com for krbtgt/domain....@domain.com In the second AS-REQ the client has included some pre-authentication data which is accepted by the KDC and a ticket is issued to the client. HTH bye, Sumit > > Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): TGS_REQ (7 etypes {18 > 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes {rep=18 > tkt=23 ses=23}, u...@domain.com for host/av.domain....@domain.com > -------------------- > > > > We followed the instruction to integrate windows for authentication. > > > > Windows Client: Windows server 2008 R2 > > > > We are not able to figure out what the problem is. > > > > We are not using DNS server, instead we are using host file entries. DNS > server setup is not an option for us right now. > > > > Same user can authenticate from Linux machine. > > > > Regards, > > > > Mohan Cheema > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users