Forum Discussion
Multiple Login Attempts Required for Kerberos Constrained Delegation (KCD)
Has anyone run into an issue in which it took 2 or more authentication attempts to finally successfully log into an application using KCD? Below is an example of the use case I am referencing where ...
Single domain forest with KDC defined. A tcpdump was taken from the BIG-IP and a Wireshark capture from the KDC.
KRB5KDC_ERR_PREAUTH_REQUIRED KRB5KRB_ERR_RESPONSE_TOO_BIG AS-REQ AS-REP TGS-REQ TGS-REP pa-data pa-s4u-X509-user padata-type:kRB5-PADATA-FOR-X509-USER (130)
The padata is the one thing that does not seem to always be consistent but I have no idea if that is an issue or not. My expectation would be that each TGS-REP from the KDC would be identical as it is for the same exact user/principal/service. I see some responses with padata and others without.
