Intrusion detection software (IDS) or Key Distribution Center (KDC) may issue a warning of a replay attack when you try to use a nonexistent domain user account to log on to a domain from a Windows-based client computer

Article translations Article translations
Article ID: 949061 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

In an Active Directory directory service domain environment, you configure intrusion detection software (IDS) or the Key Distribution Center (KDC) to detect a replay attack in the network.

However, when you try to use a nonexistent domain user account to log on to the domain from a Windows-based client computer, you may receive a warning of a replay attack. This warning is triggered by the IDS or the KDC.

Note This behavior may occur in all versions of Windows. For example, it may occur in Windows XP, in Windows Server 2003, and in Windows Vista.

CAUSE

This behavior occurs because the client sends the KRB_AS_REQ packet to the KDC two times.

When you try to use a nonexistent domain user account to log on to the domain from a Windows-based client computer, the client computer sends an KRB_AS_REQ packet to the KDC. In response to this packet, the KDC sends a KRB_AS_REP response that contains the KDC_ERR_C_PRINCIPAL_UNKNOWN error code. In this case, the client computer resends the KRB_AS_REQ packet. Therefore, the IDS may issue a warning of a replay attack.

Note This behavior is harmless in Windows operating systems.

MORE INFORMATION

For more information about Kerberos error messages and about Lightweight Directory Access Protocol (LDAP) error messages, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/bb463166.aspx

Properties

Article ID: 949061 - Last Review: February 28, 2008 - Revision: 1.3
APPLIES TO
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Home Basic 64-bit Edition
  • Windows Vista Home Premium 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Business
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Ultimate
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Keywords: 
kbexpertiseadvanced kbprb KB949061

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com