Pulse Secure is working to reduce the frequency of the log message to only critical scenarios. PRS-353429 has been filed to improve the log message in a future release.
To properly root cause the issue, perform the following steps:
- Login to admin console
- Navigate to Maintenance > TroubleShooting > Tools > TCPDump
- In the filter field, enter udp port 88
- Click Start Sniffing
Once enabled, have an end user replicate the issue or monitor the user access logs until the error occurs. Once the issue occurs, stop and save the TCPDump and provide a copy of the event and user access logs.
In the tcpdump, there may be multiple kerberos error messages. Here are a list of the most common error messages and why:
These message can be safely ignored as these will not result in a failed authentication.
- KDC_ERR_PREAUTH_REQUIRED - User account has kerberos preauthentication is required. User will be prompted for credentials after this message
- KCD_ERR_RESPONSE_TOO_BIG - KDC response is too large for UDP. Pulse Connect Secure device will fail back to TCP to complete the authentication.
- KDC_ERR_PREAUTH_FAILED - End user input the incorrect username or password.
- KDC_ERR_ETYPE_NOTSUPP - Encryption type sent from PCS to KDC is not supported.
- KDC_ERR_S_PRINCIPAL_UNKNOWN / KDC_ERR_C_PRINCIPAL_UNKNOWN - User account does not exist in KDC or duplicate accounts may exist.
- KDC_ERR_CLIENT_REVOKED - Account has expired or disabled
Until a fixed release is provided, administartors can disable kerberos protocol and enable NTML protocol.