Kerberos Hardware Pre_auth

John Dennis jdennis at
Thu Aug 20 21:32:34 CEST 2009

On 08/20/2009 01:05 PM, Larry Ross wrote:
> Good Morning All;
> I am looking for direction into correcting an issue with FR 2.X
> authenticating against a Krb5 directory with Hardware Pre-Auth enabled.
> Currently I am not finding any luck in getting this off the ground.

I don't know what Hardware Pre-Auth is, I presume you mean Kerberos 
Pre-Authentication. I also don't know what a Krb5 directory is, I 
presume you mean binding to a LDAP directory using Kerberos and not 
performing Kerberos authentication against a KDC. In the future please 
try to use the correct terminology so we don't have to guess how to help 

The rlm_ldap module can only do simple binds with a password. If you 
want to perform a LDAP bind with Kerberos the rlm_ldap would have to use 
SASL with the GSSAPI mechanism. I have a patch which does this (but it's 
against the old 1.x rlm_ldap).

If you mean Kerberos authentication against a KDC you're also out of 
luck, rlm_krb5 does not provide Kerberos pre-authentication data nor 
does it respond to the KDC_ERR_PREAUTH_REQUIRED message. Patches welcome.

You may have better luck disabling pre-authenication.

John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list