I often seen network admins look at a network trace and say we have a lot of authentication failures and point to the error – KDC_ERR_PREAUTH_REQUIRED. I have spent time educating on why this is not an authentication failure but instead the default behavior. The KDC (Key Distribution Center) requires all accounts to use pre-authentication. However, pre-authentication can be disabled for individual accounts when necessary for compatibility with other implementations of the protocol.

How to disable pre-authentication?

If the box “Do not require Kerberos pre-authentication” was checked on the user account properties then we would never see the error “KDC_ERR_PREAUTH_REQUIRED” message in a trace. 


 Let us look at the initial user authentication process using network traces.




The above Frame shows you an AS_Request being sent to the domain controller - from Client machine As you observe there is nothing sent along with PaData.

As a result the DC replies with the below error in the below frame – KDC_ERR_PREAUTH_REQUIRED.




So the client then sends the AS_REQUEST again with the pre-authentication data as show in the below frame. – KrbEncTimestamp: Encrypted Time Stamp Pre-Authentication.





As see above the KDC_ERR_PREAUTH_REQUIRED is not exactly an authentication failure. If the Kerberos authentication fails (for example bad password) then you would see “KDC_ERR_PREAUTH_FAILED” in the trace as shown below.



Below is the error you will see in a trace when Authentication fails for the user – Now it’s time you investigate. J

Enable Auditing, and Kerberos logging if required.




 I hope its better understood now and there is enough clarity now when you look at network captures that shows KDC_ERR_PREAUTH_REQUIRED & KDC_ERR_PREAUTH_FAILED frames in network traces.

Comments (8)

  1. JR_MS says:

    @Harmandeep – The Frame 1 shows that the client does not send pre-auth data ( KrnEncTimeStamp ) by default and in fram 3 it sends the pre-auth since it receievd pre-auth required from DC ( Frame 2 ).

  2. JR_MS says:

    @Harmandeep – If you were asking how you can still get a TGT without sending pre-auth data. You will have to go to the user properties and check the box that says Do not require Kerberos pre-authentication. But remember this can break some applications
    like Citrix which does not support it in their XenCenter and XenServer.

    Quick search one line will take you to
    Active Directory Stops Working When Kerberos Pre-Authentication Disabled

  3. Sukhdeep says:

    That makes sense!! Thanks!

  4. Harmandeep says:

    Thanks for sharing valuable information.

    As per FRAME 1, lsass.exe process is AS_REQ with preauth data. How can i set the same i.e. force a client system not to send the preauth data to a discovered d.c. ?

    1. JR_MS says:

      By default the client does not send pre-auth data in Frame 1.

  5. Arasuraja says:

    How do you capture these details. Can you tell me the tool to trace the kerberos authentication.

  6. JR_MS says:

    Hi Arasuraja — You could use netmon or Message Analyzer

  7. itbanana says:


    great article.
    We get the 0x19 KDC_ERR_PREAUTH_REQUIRED Error in a mixed environment (Novell DSFW + WinSrv2xxx – perhaps this is not relevant.

    Authentication works and there are no issues. However, if we enable Kerberos logging, after each user-login an Error is produced that shows very weird Client-Times.
    a) the time is ok on server and client
    b) the times jump around: once it is 1987, then 2031 …

    Do you have any explanation for this?

    Client Time: 16:18:46.0000 3/2/1976 Z
    Server Time: 13:53:18.0000 3/3/2016 Z

Skip to main content