Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining Pre-authentication Data Pre-authentication Data

Pre-authentication ([RFC4120] sections 3.1.1, 5.4.1, and 5.2.7) is an extensibility point for the Kerberos V5 protocol. Pre-authentication is performed by supplying one or more pre-authentication messages in the PA-data field of the AS-REQ and AS-REP messages.

KILE supports the following pre-authentication types described in ([RFC4120] section 7.5.2):

  • PA-TGS-REQ [1]


  • PA-ETYPE-INFO [11]

  • PA-PK-AS-REQ_OLD [14]

  • PA-PK-AS-REP_OLD [15]

  • PA-PK-AS-REQ [16]

  • PA-PK-AS-REP [17]

  • PA-ETYPE-INFO2 [19]

  • PA-PAC-REQUEST [128]

KILE supports the following pre-authentication types described in ([Referrals-11] Appendix A):


KILE supports the following pre-authentication types added in [RFC6113] section 7.1:

  • PA-FX-COOKIE [133]

  • PA-FX-FAST [136]

  • PA-FX-ERROR [137]


KILE adds the following pre-authentication types:

Unknown pre-authentication types MUST be ignored by KDCs.

When clients perform a password-based initial authentication, they MUST supply the PA-ENC-TIMESTAMP pre-authentication type when they construct the initial AS request. They SHOULD request, via the PA-PAC-REQUEST pre-authentication type, that a privilege attribute certificate (PAC) be included in issued tickets.

If the KDC does not receive the required pre-authentication message in the AS exchange, an error MUST be returned to the client. The exact error depends on what pre-authentication types were supplied.

© 2015 Microsoft