Received error from KDC: -1765328361/Password has expired

0 users found this article helpful

Applies to:
- Parallels Secure Workspace
Last Review: Nov 7, 2023
Related Articles:
- How to analyze the log files to identify single-sign on (SSO) issues
Available Translations:
Get updates

Symptoms

First, see How to analyze the log files to identify single-sign on (SSO) issues .

Single sign-on fails. In awingu-worker-smc.service.log, a similar error can be seen:

2022-01-24 13:05:32.815501 somehost awingu-worker-smc.service[manage.py:24846]: Using specified cache: /etc/awingu/domains/WORKSPACEDOMAIN/ac02f8b1-9725-4417-91f4-80544ab90d11/kerberos/kerberos_credentials_cache Using principal: someuser\@[email protected] PA Option X509_user_identity = FILE:/etc/awingu/domains/WORKSPACEDOMAIN/ac02f8b1-9725-4417-91f4-80544ab90d11/certificate.pem,/etc/awingu/domains/WORKSPACEDOMAIN/ac02f8b1-9725-4417-91f4-80544ab90d11/private_key.pem [323] 1643029531.34277: Getting initial credentials for someuser\@[email protected] [323] 1643029531.34279: Sending unauthenticated request [323] 1643029531.34280: Sending request (220 bytes) to SOMEDOMAIN.ORG [323] 1643029531.34281: Resolving hostname somehost.somedomain.org [323] 1643029531.34282: Sending initial UDP request to dgram 10.1.2.3:88 [323] 1643029531.34283: Received answer (215 bytes) from dgram 10.1.2.3:88 [323] 1643029531.34284: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG. [323] 1643029531.34285: No URI records found [323] 1643029531.34286: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG. [323] 1643029531.34287: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG. [323] 1643029531.34288: No SRV records found [323] 1643029531.34289: Response was not from master KDC [323] 1643029531.34290: Received error from KDC: -1765328359/Additional pre-authentication required [323] 1643029531.34293: Preauthenticating using KDC method data [323] 1643029531.34294: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) [323] 1643029531.34295: Selected etype info: etype aes256-cts, salt "SOMEDOMAIN.ORGsomeuser", params "" [323] 1643029531.34296: PKINIT loading CA certs and CRLs from FILE [323] 1643029531.34297: PKINIT client computed kdc-req-body checksum 9/07AED58DC8D9BE3E54B5EA229086654CF1E44F6E [323] 1643029531.34299: PKINIT client making DH request [323] 1643029531.34300: Preauth module pkinit (16) (real) returned: 0/Success [323] 1643029531.34301: Produced preauth for next request: PA-PK-AS-REQ (16) [323] 1643029531.34302: Sending request (5864 bytes) to SOMEDOMAIN.ORG [323] 1643029531.34303: Resolving hostname somehost.somedomain.org [323] 1643029531.34304: Initiating TCP connection to stream 10.1.2.3:88 [323] 1643029531.34305: Sending TCP request to stream 10.1.2.3:88 [323] 1643029531.34306: Received answer (3011 bytes) from stream 10.1.2.3:88 [323] 1643029531.34307: Terminating TCP connection to stream 10.1.2.3:88 [323] 1643029531.34308: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG. [323] 1643029531.34309: No URI records found [323] 1643029531.34310: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG. [323] 1643029531.34311: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG. [323] 1643029531.34312: No SRV records found [323] 1643029531.34313: Response was not from master KDC [323] 1643029531.34314: Received error from KDC: -1765328361/Password has expired [323] 1643029531.34316: Recovering from KDC error 23 using preauth mech PA-PK-AS-REQ (16) [323] 1643029531.34317: Preauth tryagain input types (16): PA-PK-AS-REP (17) [323] 1643029531.34318: Preauth module pkinit (16) tryagain returned: 0/Success [323] 1643029531.34319: Retrying AS request with master KDC [323] 1643029531.34320: Getting initial credentials for someuser\@[email protected] [323] 1643029531.34322: Sending unauthenticated request [323] 1643029531.34323: Sending request (220 bytes) to SOMEDOMAIN.ORG (master) [323] 1643029531.34324: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG. [323] 1643029531.34325: No URI records found [323] 1643029531.34326: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG. [323] 1643029531.34327: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG. [323] 1643029531.34328: No SRV records found [323] 1643029531.34329: Principal expired; getting changepw ticket [323] 1643029531.34330: Getting initial credentials for someuser\@[email protected] [323] 1643029531.34331: Setting initial creds service to kadmin/changepw [323] 1643029531.34333: Sending unauthenticated request [323] 1643029531.34334: Sending request (210 bytes) to SOMEDOMAIN.ORG [323] 1643029531.34335: Resolving hostname somehost.somedomain.org [323] 1643029531.34336: Sending initial UDP request to dgram 172.27.0.10:88 [323] 1643029532.517654: Sending initial UDP request to dgram 10.1.2.3 [323] 1643029532.517655: Received answer (205 bytes) from dgram 10.1.2.3 [323] 1643029532.517656: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG. [323] 1643029532.517657: No URI records found [323] 1643029532.517658: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG. [323] 1643029532.517659: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG. [323] 1643029532.517660: No SRV records found [323] 1643029532.517661: Response was not from master KDC [323] 1643029532.517662: Received error from KDC: -1765328359/Additional pre-authentication required [323] 1643029532.517665: Preauthenticating using KDC method data [323] 1643029532.517666: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ETYPE-INFO2 (19), PA-ENC-TIMESTAMP (2) [323] 1643029532.517667: Selected etype info: etype aes256-cts, salt "SOMEDOMAIN.ORGsomeuser", params "" [323] 1643029532.517668: PKINIT loading CA certs and CRLs from FILE [323] 1643029532.517669: PKINIT client computed kdc-req-body checksum 9/8FEA06C1B09A5F23B9186332AF62EAB9DE86332A [323] 1643029532.517671: PKINIT client making DH request [323] 1643029532.517672: Preauth module pkinit (16) (real) returned: 0/Success [323] 1643029532.517673: Produced preauth for next request: PA-PK-AS-REQ (16) [323] 1643029532.517674: Sending request (5854 bytes) to SOMEDOMAIN.ORG [323] 1643029532.517675: Resolving hostname somehost.somedomain.org [323] 1643029532.517676: Initiating TCP connection to stream 10.1.2.3:88 [323] 1643029532.517677: Sending TCP request to stream 10.1.2.3:88 [323] 1643029532.517678: Received answer (5177 bytes) from stream 10.1.2.3:88 [323] 1643029532.517679: Terminating TCP connection to stream 10.1.2.3:88 [323] 1643029532.517680: Sending DNS URI query for _kerberos.SOMEDOMAIN.ORG. [323] 1643029532.517681: No URI records found [323] 1643029532.517682: Sending DNS SRV query for _kerberos-master._udp.SOMEDOMAIN.ORG. [323] 1643029532.517683: Sending DNS SRV query for _kerberos-master._tcp.SOMEDOMAIN.ORG. [323] 1643029532.517684: No SRV records found [323] 1643029532.517685: Response was not from master KDC [323] 1643029532.517686: Processing preauth types: PA-PK-AS-REP (17) [323] 1643029532.517687: PKINIT client verified DH reply [323] 1643029532.517688: PKINIT client config accepts KDC dNSName SAN somehost.somedomain.org [323] 1643029532.517689: PKINIT client found dNSName SAN in KDC cert: somedc.somead.somedomain.org [323] 1643029532.517690: PKINIT client found dNSName SAN in KDC cert: somead.somedomain.org [323] 1643029532.517691: PKINIT client found dNSName SAN in KDC cert: SOMEDOMAIN [323] 1643029532.517692: PKINIT client matched KDC hostname somehost.somedomain.org against dNSName SAN; EKU check still required [323] 1643029532.517693: PKINIT found acceptable EKU and digitalSignature KU [323] 1643029532.517694: PKINIT client found acceptable EKU in KDC cert [323] 1643029532.517695: PKINIT client used octetstring2key to compute reply key aes256-cts/AAF4 [323] 1643029532.517696: Preauth module pkinit (17) (real) returned: 0/Success [323] 1643029532.517697: Produced preauth for next request: (empty) [323] 1643029532.517698: AS key determined by preauth: aes256-cts/AAF4 [323] 1643029532.517699: Decrypted AS reply; session key is: aes256-cts/3A99 [323] 1643029532.517700: FAST negotiation: unavailable [323] 1643029532.517701: Attempting password change; 3 tries remaining kinit: Cannot read password while getting initial credentials

Cause

The user's password has expired.

Resolution

Have the user navigate to the Workspace again (if needed, from a private/incognito browser tab or other browser) and let them try again.

If the problem persists, contact the support team.

Was this article helpful?

Tell us how we can improve it.