Kerberos pre-authentication issues - why now?

Unanswered Question
Dec 4th, 2009

Hi all,

We recently put up a new Windows 2003 Active Directory domain controller to replace a de-commissioned Windows 2000 DC.  When my VPN users try to authenticate to it using Kerberos, they are getting rejected with a pre-authentication failed error.  I know that this is a common issue with the ASA, and TAC has confirmed that there's no solution for it yet.  However, we have another W2K3 DC that has never had this issue.  So why now?  Why this new DC?  What's the difference between my DCs where one can authenticate a user with pre-authentication enabled and one can't?

Any help or information that I can get would be helpful.


- Steve

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rstevek Fri, 12/04/2009 - 10:12

Hi JK,

Thanks for the reply.

Right, I understand that, and TAC directed me to the same document.  But we have an existing domain controller that we are currently using the authenicate against; pre-authentication is enabled, and it works fine.  It's only the NEW domain controller that has this problem.  So I'm trying to figure out what the difference is!

I would rather NOT disable pre-authentication for all VPN users if possible - there are a lot of them and it lessens the security of Active Directory.


- Steve


This Discussion