Article ID: 949061 - Last Review: February 28, 2008 - Revision: 1.3 Intrusion detection software (IDS) or Key Distribution Center (KDC) may issue a warning of a replay attack when you try to use a nonexistent domain user account to log on to a domain from a Windows-based client computerSYMPTOMSIn an Active Directory directory service domain environment, you configure intrusion detection software (IDS) or the Key Distribution Center (KDC) to detect a replay attack in the network. However, when you try to use a nonexistent domain user account to log on to the domain from a Windows-based client computer, you may receive a warning of a replay attack. This warning is triggered by the IDS or the KDC. Note This behavior may occur in all versions of Windows. For example, it may occur in Windows XP, in Windows Server 2003, and in Windows Vista. CAUSEThis behavior occurs because the client sends the KRB_AS_REQ packet to the KDC two times. When you try to use a nonexistent domain user account to log on to the domain from a Windows-based client computer, the client computer sends an KRB_AS_REQ packet to the KDC. In response to this packet, the KDC sends a KRB_AS_REP response that contains the KDC_ERR_C_PRINCIPAL_UNKNOWN error code. In this case, the client computer resends the KRB_AS_REQ packet. Therefore, the IDS may issue a warning of a replay attack. Note This behavior is harmless in Windows operating systems. MORE INFORMATIONFor more information about Kerberos error messages and about Lightweight Directory Access Protocol (LDAP) error messages, visit the following Microsoft Web site: http://technet.microsoft.com/en-us/library/bb463166.aspx
(http://technet.microsoft.com/en-us/library/bb463166.aspx)
APPLIES TO
| Article Translations
|
| United States | Change | | | All Microsoft Sites |
Help and Support
Back to the top
|
