Locked out of ASA with Kerberos authentication

Unanswered Question
Nov 11th, 2008
User Badges:

Hi all,

I have a brand-new problem that just cropped up on my ASA. We are using Kerberos authentication for console, ASA, and ASDM access. When anyone tries to log in, our domain controller logs a Security Event ID 675 with failure code 0x19 (pre-authentication failed) and login is denied. (The ASA sends a SA-6-113005 syslog message out.)

On Friday I hard-booted the ASA and after it came back up, the problem was gone, so I chalked it up to gremlins. But now it's back! I'm totally stumped! I hope someone can help.


- Steve

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hadbou Mon, 11/17/2008 - 14:53
User Badges:
  • Bronze, 100 points or more

Error Message - %PIX|ASA-6-113005: AAA user authentication Rejected: reason = string:

server = server_IP_address, User = user

Explanation - This is an indication that either an authentication or authorization request for a user associated with an IPSec or WebVPN connection has been rejected. Details of why the request was rejected are provided in the reason field. server_IP_address is the IP address of the relevant AAA server. user is the user name associated with the connection. aaa_operation is either authentication or authorization.

Check if Pre-authentication on the Active Directory (AD) is disabled or it can lead to user authentication failure.If its is not disabled please disable the same to avoid the errors.One frequent cause of authentication failure is clock skew. Be sure that the clocks on the PIX or ASA and your authentication server are synchronized.

rstevek Tue, 11/18/2008 - 06:42
User Badges:


Thanks for the message. I opened a case with TAC a few days ago and was told that the symptoms I'm seeing are consistent with bug ID CSCsi32224. There's no workaround currently, but it goes away after a reboot for a while. In the meantime, I'm configured the ASA for local authentication instead.


- Steve


This Discussion