Kdc_err_preauth_required

My boss just noticed these being logged in ExtraHop and wants me to investigate.

image

Everything I’ve read about this indicates that it is normal operation for Kerberos. Via Microsoft itself…

"KDC_ERR_PREAUTH_REQUIRED is returned on the initial Kerberos AS request. By default, the Windows Kerberos Client is not including pre-authentication information in this first request. The response contains information about the supported encryption types on the KDC, and in case of AES, the salts to be used to encrypt the password hashes with.

Recommendation: Always ignore this error code."

My boss doesn’t accept that explanation and wants me to find out why it is suddenly happening so I’m in a bit of a pickle. Is it really something that could indicate that a brute force attempt is happening? On one account it has happened 460 times in the last 6 hours but considering it’s a very active service account that is probably constantly in use that doesn’t seem like an unusually high number of attempts. Not to mention the account hasn’t been locked out during the entire time or even had a single bad password attempt. I have a lockout tool that can check for that.

Sooooooo… Can anyone advise me here? What can I tell my boss that would satisfy him? Is it possible to just turn logging for this particular error off in ExtraHop?

I am not the ExtraHop admin and do not have access to the ExtraHop console.

So we see this in our environment alot as well and most times it can be ignored. Kind of like a 401 response from a web server in some cases is not a bad thing as it is sending back how you can auth with it and is normal. What is interesting “and I have not dug into this alot lately” is I thought extrahop had at one point taken into account the first preauth failure and ignored it. But could be wrong. I would spend some time checking that service account and be sure it does not have other issues and Kerberos is configured corrrectly. Make sure proper SPNS are in use as well. And I would want to compare it to other things. Also what changed for the error to start showing up? is this a new service account did the password recently change? are their other security changes that have recently changed that may be amplifing it?

1 Like

Thanks for the quick response. It’s an account that’s been around for a long time and the password hasn’t changed recently. I would not expect there to have been any changes in our kerberos implementation recently either. We do have SPNS set for all our SQL connections and our DBAs usually notify us if an SPN has to be reset. The only other thing that stands out is that our DCs are Server 2012 R2 but that wouldn’t explain why it suddenly started just now.

Thanks for your input. You’ve given me some things to think about and look at. :slight_smile:

You also may want to look at recent patching. Microsoft is adding a lot of security around authentication due to several vulnerabilities. Again not sure as I see this in our environment as well, matter of fact just looked and had a decent number of these errors. And it is on our list to investigate further but lower priority. You know how that goes.

And just a note this is expected as you said before. https://serverfault.com/questions/436450/0x19-kdc-err-preauth-required-in-my-event-log
https://answers.microsoft.com/en-us/windows/forum/windows_7-security/error-code-0x19-kdcerrpreauthrequired/ed5fc1db-6a44-4b16-b6b6-5f55e07c9ca4
If you boss does not agree get him to pay for a case from Microsoft and have them send you documentation explaining it. I just did some research on our environment and this is very common and normal behaviour. Just like a 401 response from a web server sending what type of auth you can use.

1 Like