Pre-Authentication Failure events on the Active Directory (AD) server in InterScan Web Security Virtual Appliance (IWSVA)

Product / Version includes:

Interscan Web Security Virtual Appliance6.0 , Interscan Web Security Virtual Appliance6.5

Last updated: 2021/08/28

Solution ID: KA-0001259

Category: Troubleshoot

Summary

When IWSVA registers to LDAP servers for user/group name authentication, the Active Directory server continuously receives Pre-Authentication Failure events in Security event log.

This issue is related to pre-authentication. This is the pre-authentication process:

IWSVA sends a Kerberos AS-REQ without "padata", which is required by server for pre-authentication.
AD server realizes this user requires "pre-authentication" and finds no "padata" in the request.
AD server returns an error, which is
KRB5KDC_ERR_PREAUTH_REQUIRED.
IWSVA receives this message and realizes the pre-authentication is required, then it sends AS-REQ again with “padata”, which the AD requires for pre-authentication.
AD server receives this new request and completes the pre-authentication.

For the normal Kerberos authentication process, refer to the following:

Based on an analysis of the process, the AD server will always record an event for pre-authentication required while it is a normal process. You can safely ignore this security event.

However, if you want to disable logging of the pre-authentication events for the admin account that IWSVA uses:

In AD, go to the property of the admin account.
Click the Account tab.
Under Account options section, tick the Do not require Kerberos pre-authentication check box.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Pre-Authentication Failure events on the Active Directory (AD) server in InterScan Web Security Virtual Appliance (IWSVA)

Pre-Authentication Failure events on the Active Directory (AD) server in InterScan Web Security Virtual Appliance (IWSVA)

Product / Version includes:

Summary