Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
3.1.5.1 Pre-authentication Data

3.1.5.1 Pre-authentication Data

Pre-authentication ([RFC4120] sections 3.1.1, 5.4.1, and 5.2.7) is an extensibility point for the Kerberos V5 protocol. Pre-authentication is performed by supplying one or more pre-authentication messages in the PA-data field of the AS-REQ and AS-REP messages.

KILE supports the following pre-authentication types described in ([RFC4120] section 7.5.2):

  • PA-TGS-REQ [1]

  • PA-ENC-TIMESTAMP [2]

  • PA-ETYPE-INFO [11]

  • PA-PK-AS-REQ_OLD [14]

  • PA-PK-AS-REP_OLD [15]

  • PA-PK-AS-REQ [16]

  • PA-PK-AS-REP [17]

  • PA-ETYPE-INFO2 [19]

  • PA-PAC-REQUEST [128]

KILE supports the following pre-authentication types described in ([Referrals-11] Appendix A):

  • PA-SVR-REFERRAL-INFO [20]

KILE supports the following pre-authentication types added in [RFC6113] section 7.1:

  • PA-FX-COOKIE [133]

  • PA-FX-FAST [136]

  • PA-FX-ERROR [137]

  • PA-ENCRYPTED-CHALLENGE [138]

KILE adds the following pre-authentication types:

Unknown pre-authentication types MUST be ignored by KDCs.

When clients perform a password-based initial authentication, they MUST supply the PA-ENC-TIMESTAMP pre-authentication type when they construct the initial AS request. They SHOULD request, via the PA-PAC-REQUEST pre-authentication type, that a privilege attribute certificate (PAC) be included in issued tickets.

If the KDC does not receive the required pre-authentication message in the AS exchange, an error MUST be returned to the client. The exact error depends on what pre-authentication types were supplied.

Show:
© 2015 Microsoft