Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Locked out of ASA with Kerberos authentication

Hi all,

I have a brand-new problem that just cropped up on my ASA. We are using Kerberos authentication for console, ASA, and ASDM access. When anyone tries to log in, our domain controller logs a Security Event ID 675 with failure code 0x19 (pre-authentication failed) and login is denied. (The ASA sends a SA-6-113005 syslog message out.)

On Friday I hard-booted the ASA and after it came back up, the problem was gone, so I chalked it up to gremlins. But now it's back! I'm totally stumped! I hope someone can help.

Thanks,

- Steve

2 REPLIES
Bronze

Re: Locked out of ASA with Kerberos authentication

Error Message - %PIX|ASA-6-113005: AAA user authentication Rejected: reason = string:

server = server_IP_address, User = user

Explanation - This is an indication that either an authentication or authorization request for a user associated with an IPSec or WebVPN connection has been rejected. Details of why the request was rejected are provided in the reason field. server_IP_address is the IP address of the relevant AAA server. user is the user name associated with the connection. aaa_operation is either authentication or authorization.

Check if Pre-authentication on the Active Directory (AD) is disabled or it can lead to user authentication failure.If its is not disabled please disable the same to avoid the errors.One frequent cause of authentication failure is clock skew. Be sure that the clocks on the PIX or ASA and your authentication server are synchronized.

New Member

Re: Locked out of ASA with Kerberos authentication

Hi,

Thanks for the message. I opened a case with TAC a few days ago and was told that the symptoms I'm seeing are consistent with bug ID CSCsi32224. There's no workaround currently, but it goes away after a reboot for a while. In the meantime, I'm configured the ASA for local authentication instead.

Thanks,

- Steve

1078
Views
0
Helpful
2
Replies
CreatePlease to create content