3.1.5.1 Pre-authentication Data

Pre-authentication ([RFC4120] sections 3.1.1, 5.4.1, and 5.2.7) is an extensibility point for the Kerberos V5 protocol. Pre-authentication is performed by supplying one or more pre-authentication messages in the padata field of the AS-REQ and AS-REP messages.

KILE supports the following pre-authentication types specified in ([RFC4120] section 7.5.2):

• PA-TGS-REQ [1]

• PA-ENC-TIMESTAMP [2]

• PA-ETYPE-INFO [11]

• PA-PK-AS-REQ_OLD [14]

• PA-PK-AS-REP_OLD [15]

• PA-PK-AS-REQ [16]

• PA-PK-AS-REP [17]

• PA-ETYPE-INFO2 [19]

• PA-PAC-REQUEST [128]

KILE supports the following pre-authentication types specified in ([Referrals-11] Appendix A):

• PA-SVR-REFERRAL-INFO [20]

KILE supports the following pre-authentication types specified in [RFC6113] section 7.1:

• PA-FX-COOKIE [133]

• PA-FX-FAST [136]

• PA-FX-ERROR [137]

• PA-ENCRYPTED-CHALLENGE [138]

KILE adds the following pre-authentication types:

• PA-SUPPORTED-ENCTYPES [165] (section 2.2.8)

• PA-PAC-OPTIONS [167] (section 2.2.10)

• KERB-KEY-LIST-REQ [161] (section 2.2.11)<21>

• KERB-KEY-LIST-REP [162] (section 2.2.12)<22>

Unknown pre-authentication types MUST be ignored by KDCs.

When clients perform a password-based initial authentication, they MUST supply the PA-ENC-TIMESTAMP [2] pre-authentication type when they construct the initial AS request. They can request, via the PA-PAC-REQUEST [128] pre-authentication type, that a privilege attribute certificate (PAC) be included in issued tickets.

If the KDC does not receive the required pre-authentication message in the AS exchange, an error MUST be returned to the client. The exact error depends on what pre-authentication types were supplied.