We have two different applications in our network, both use Kerberos to authenticate users. One of them makes problems when the max. ticket lifetime has expired.
Successful request with application x:
AS-REQ =>
<= KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ =>
<= AS-REP
Unsuccessful request with application y:
AS-REQ =>
<= KRB5KDC_ERR_PREAUTH_REQUIRED
AS-REQ =>
<= KRB5KDC_ERR_PREAUTH_FAILED
The only difference we can see in network captures is that app x uses NT-PRINCIPAL, while app y uses NT-ENTERPRISE. App y runs on Java 1.6, so the preauth bug from earlier versions shouldn't occur.
Any ideas are highly appreciated.
I think that the solution to this issue was to re-generate our keytabs with the "/crypto All" option, but I'm not 100% sure. At least we had no more complaints after that.