OUD-AD-Kerberos Error "Additional pre-authentication required" Indicates Second Retry Required for Successful Authentication
(Doc ID 1910358.1)
Last updated on APRIL 03, 2023
Applies to:
Oracle Unified Directory - Version 11.1.2.1.0 and laterInformation in this document applies to any platform.
Goal
1. Problem Description
After having installed MS AD patch KB2927811 some OUD error messages are seen throughout the error log. Authentication is working.
But, Kerberos Preauthentication is failing while OUD authenticating against MS AD using kerberos.
A 2nd retry is necessary for successful authentication -
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Thu Jun 19 14:32:12 CEST 2014 1403181132000
suSec is 171939
error code is 25
error Message is Additional pre-authentication required
realm is <DOMAIN>
sname is krbtgt/<DOMAIN>
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
PA-ETYPE-INFO salt =
PA-ETYPE-INFO etype = 3
PA-ETYPE-INFO salt = <DOMAIN_SALT>
PA-ETYPE-INFO etype = 1
PA-ETYPE-INFO salt = <DOMAIN_SALT>
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
default etypes for default_tkt_enctypes: 18 17 23 3 1.
>>>KrbAsReq salt is <DOMAIN_SALT>
default etypes for default_tkt_enctypes: 18 17 23 3 1.
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=<HOSTNAME>.<DOMAIN> TCP:88, timeout=30000, number of retries =3, #bytes=235
>>> KDCCommunication: kdc=<HOSTNAME>.<DOMAIN> TCP:88, #bytes=235
>>>DEBUG: TCPClient reading 2203 bytes
>>> KrbKdcReq send: #bytes read=2203
>>> KrbKdcReq send: #bytes read=2203
>>> KdcAccessibility: remove <HOSTNAME>.<DOMAIN>
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply <REPLY>
default etypes for default_tkt_enctypes: 18 17 23 3 1.
default etypes for default_tkt_enctypes: 18 17 23 3 1.
default etypes for default_tkt_enctypes: 18 17 23 3 1.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=<HOSTNAME>.<DOMAIN> TCP:88, timeout=30000, number of retries =3, #bytes=157
>>> KDCCommunication: kdc=<HOSTNAME>.<DOMAIN> TCP:88, #bytes=157
>>>DEBUG: TCPClient reading 224 bytes
>>> KrbKdcReq send: #bytes read=224
>>> KrbKdcReq send: #bytes read=224
>>> KdcAccessibility: remove <HOSTNAME>.<DOMAIN>
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Goal |
| Solution |
| References |