Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Kerberos pre-authentication issues - why now?

Hi all,

We recently put up a new Windows 2003 Active Directory domain controller to replace a de-commissioned Windows 2000 DC.  When my VPN users try to authenticate to it using Kerberos, they are getting rejected with a pre-authentication failed error.  I know that this is a common issue with the ASA, and TAC has confirmed that there's no solution for it yet.  However, we have another W2K3 DC that has never had this issue.  So why now?  Why this new DC?  What's the difference between my DCs where one can authenticate a user with pre-authentication enabled and one can't?

Any help or information that I can get would be helpful.


- Steve

Everyone's tags (4)
Cisco Employee

Re: Kerberos pre-authentication issues - why now?

Hi Steve,

Pre-authentication on the Active Directory (AD) should be disabled or it can lead to user authentication failure.

You can check the kerberos authentication example for the same.



Plz rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: Kerberos pre-authentication issues - why now?

Hi JK,

Thanks for the reply.

Right, I understand that, and TAC directed me to the same document.  But we have an existing domain controller that we are currently using the authenicate against; pre-authentication is enabled, and it works fine.  It's only the NEW domain controller that has this problem.  So I'm trying to figure out what the difference is!

I would rather NOT disable pre-authentication for all VPN users if possible - there are a lot of them and it lessens the security of Active Directory.


- Steve