Kerberos Pre-Authentication Types
| Type | Type Name | Description |
|---|---|---|
| 0 | – | Logon without Pre-Authentication. |
| 2 | PA-ENC-TIMESTAMP | This is a normal type for standard password authentication |
| 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value. Never saw this Pre-Authentication Type in Microsoft Active Directory environment |
| 15 | PA-PK-AS-REP_OLD | Used for Smart Card logon authentication |
| 16 | PA-PK-AS-REQ | Request sent to KDC in Smart Card authentication scenarios |
| 17 | PA-PK-AS-REP | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen |
| 19 | PA-ETYPE-INFO2 | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value. Never saw this Pre-Authentication Type in Microsoft Active Directory environment |
| 20 | PA-SVR-REFERRAL-INFO | Used in KDC Referrals tickets |
| 138 | PA-ENCRYPTED-CHALLENGE | Logon using Kerberos Armoring (FAST). Supported starting from Windows Server 2012 domain controllers and Windows 8 clients |
| – | This type shows in Audit Failure events. |