When IWSVA registers to LDAP servers for user/group name authentication, the Active Directory server continuously receives Pre-Authentication Failure events in Security event log.
This issue is related to pre-authentication. This is the pre-authentication process:
- IWSVA sends a Kerberos AS-REQ without "padata", which is required by server for pre-authentication.
- AD server realizes this user requires "pre-authentication" and finds no "padata" in the request.
- AD server returns an error, which is
- IWSVA receives this message and realizes the pre-authentication is required, then it sends AS-REQ again with “padata”, which the AD requires for pre-authentication.
- AD server receives this new request and completes the pre-authentication.
For the normal Kerberos authentication process, refer to the following:
Based on an analysis of the process, the AD server will always record an event for pre-authentication required while it is a normal process. You can safely ignore this security event.
However, if you want to disable logging of the pre-authentication events for the admin account that IWSVA uses:
- In AD, go to the property of the admin account.
- Click the Account tab.
- Under Account options section, tick the Do not require Kerberos pre-authentication check box.