I have a brand-new problem that just cropped up on my ASA. We are using Kerberos authentication for console, ASA, and ASDM access. When anyone tries to log in, our domain controller logs a Security Event ID 675 with failure code 0x19 (pre-authentication failed) and login is denied. (The ASA sends a SA-6-113005 syslog message out.)
On Friday I hard-booted the ASA and after it came back up, the problem was gone, so I chalked it up to gremlins. But now it's back! I'm totally stumped! I hope someone can help.
Explanation - This is an indication that either an authentication or authorization request for a user associated with an IPSec or WebVPN connection has been rejected. Details of why the request was rejected are provided in the reason field. server_IP_address is the IP address of the relevant AAA server. user is the user name associated with the connection. aaa_operation is either authentication or authorization.
Check if Pre-authentication on the Active Directory (AD) is disabled or it can lead to user authentication failure.If its is not disabled please disable the same to avoid the errors.One frequent cause of authentication failure is clock skew. Be sure that the clocks on the PIX or ASA and your authentication server are synchronized.
Re: Locked out of ASA with Kerberos authentication
Thanks for the message. I opened a case with TAC a few days ago and was told that the symptoms I'm seeing are consistent with bug ID CSCsi32224. There's no workaround currently, but it goes away after a reboot for a while. In the meantime, I'm configured the ASA for local authentication instead.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :