Hello,
I'm trying to get a Juniper IVE (VPN SSL) box working with Kerberos pre-authentication and a Windows AD domain. We are having account lockout problems. After looking at the network traffic, it seems that if someone enters a wrong password, the Juniper box, when trying to authenticate with pre-authorization, sends another AS request to the same KDC after receiving a pre-auth failed message from the server. This causes two failed log-in attempts to be logged for the particular Windows account, even though the user thinks he only tried once. >From what I can understand, the Juniper box should first try the master KDC and then the slave KDC (the juniper box has the address of two DCs configured), but not the same one twice. I've looked everywhere (including this list) about how many times a client should try to pre-authenticate after it receives an error message and I just can't find the info. Can someone tell me if this is normal behavior or if I should contact Juniper to tell them they have a bug? Thanks, Anita ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
