3.1.5.1 Pre-authentication Data

Pre-authentication ([RFC4120] sections 3.1.1, 5.4.1, and 5.2.7) is an extensibility point for the Kerberos V5 protocol. Pre-authentication is performed by supplying one or more pre-authentication messages in the padata field of the AS-REQ and AS-REP messages.

KILE supports the following pre-authentication types described in ([RFC4120] section 7.5.2):

  • PA-TGS-REQ [1]

  • PA-ENC-TIMESTAMP [2]

  • PA-ETYPE-INFO [11]

  • PA-PK-AS-REQ_OLD [14]

  • PA-PK-AS-REP_OLD [15]

  • PA-PK-AS-REQ [16]

  • PA-PK-AS-REP [17]

  • PA-ETYPE-INFO2 [19]

  • PA-PAC-REQUEST [128]

KILE supports the following pre-authentication types described in ([Referrals-11] Appendix A):

  • PA-SVR-REFERRAL-INFO [20]

KILE supports the following pre-authentication types added in [RFC6113] section 7.1:

  • PA-FX-COOKIE [133]

  • PA-FX-FAST [136]

  • PA-FX-ERROR [137]

  • PA-ENCRYPTED-CHALLENGE [138]

KILE adds the following pre-authentication types:

  • PA-SUPPORTED-ENCTYPES [165] (section 2.2.8)

  • PA-PAC-OPTIONS [167] (section 2.2.10)

  • KERB-KEY-LIST-REQ [161] (section 2.2.11)<21>

  • KERB-KEY-LIST-REP [162] (section 2.2.12)<22>

Unknown pre-authentication types MUST be ignored by KDCs.

When clients perform a password-based initial authentication, they MUST supply the PA-ENC-TIMESTAMP [2] pre-authentication type when they construct the initial AS request. They can request, via the PA-PAC-REQUEST [128] pre-authentication type, that a privilege attribute certificate (PAC) be included in issued tickets.

If the KDC does not receive the required pre-authentication message in the AS exchange, an error MUST be returned to the client. The exact error depends on what pre-authentication types were supplied.