Article ID: 949061 - View products that this article applies to.
This article has been archived. It is offered "as is" and will no longer be updated.
In an Active Directory directory service domain environment, you configure intrusion detection software (IDS) or the Key Distribution Center (KDC) to detect a replay attack in the network.
However, when you try to use a nonexistent domain user account to log on to the domain from a Windows-based client computer, you may receive a warning of a replay attack. This warning is triggered by the IDS or the KDC.
Note This behavior may occur in all versions of Windows. For example, it may occur in Windows XP, in Windows Server 2003, and in Windows Vista.
This behavior occurs because the client sends the KRB_AS_REQ packet to the KDC two times.
When you try to use a nonexistent domain user account to log on to the domain from a Windows-based client computer, the client computer sends an KRB_AS_REQ packet to the KDC. In response to this packet, the KDC sends a KRB_AS_REP response that contains the KDC_ERR_C_PRINCIPAL_UNKNOWN error code. In this case, the client computer resends the KRB_AS_REQ packet. Therefore, the IDS may issue a warning of a replay attack.
Note This behavior is harmless in Windows operating systems.
For more information about Kerberos error messages and about Lightweight Directory Access Protocol (LDAP) error messages, visit the following Microsoft Web site:
Article ID: 949061 - Last Review: January 16, 2015 - Revision: 2.0