Security Reference  
 

What are the various Kerberos error codes?

Created on 2003-06-16 by Rainer Gerhards.

Windows event log entries often contain Kerberos failure codes (for an example, please see security event 676). These failure codes are the original error codes from the Kerberos RFC 1510 (see page 83 for the complete list).

For your convenience, we have extracted the error codes below and added some of our comments. Please note that in event log entries, a hexedicimal code is used (the number starts with 0x). Be sure to not mistakenly look up the decimal code below.

Error codes

Kerberos
Error Label
Hex Dec Meaning or MIT code Explanation
KDC_ERR_NONE 0x0 0 No error  
KDC_ERR_NAME_EXP 0x1 1 Client's entry in database has expired  
KDC_ERR_SERVICE_EXP 0x2 2 Server's entry in database has expired  
KDC_ERR_BAD_PVNO 0x3 3 Requested protocol version number not supported  
KDC_ERR_C_
OLD_MAST_KVNO
0x4 4 Client's key encrypted in oldmaster key  
KDC_ERR_S_
OLD_MAST_KVNO
0x5 5 Server's key encrypted in old master key  
KDC_ERR_C_
PRINCIPAL_UNKNOWN
0x6 6 Client not found in Kerberos database
  • We have seen this code when Active Directory replication does not work correctly. In this case, it is possible that e.g. a computer account joins the domain using one DC. Then, this information is not replicated within AD. If the computer then tries to authenticate to another DC, it is not found there, resulting in this error code.
  • Also, make sure time synchronization between DCs is working well.
KDC_ERR_S_
PRINCIPAL_UNKNOWN
0x7 7 Server not found in Kerberos database Could be the same cause as error 6 above.
KDC_ERR_
PRINCIPAL_NOT_UNIQUE
0x8 8 Multiple principal entries in database  
KDC_ERR_NULL_KEY 0x9 9 The client or server has a null key  
KDC_ERR_CANNOT_
POSTDATE
0xa 10 Ticket not eligible for postdating  
KDC_ERR_NEVER_VALID 0xb 11 Requested start time is later than end time  
KDC_ERR_POLICY 0xc 12 KDC policy rejects request  
KDC_ERR_BADOPTION 0xd 13 KDC cannot accommodate requested option  
KDC_ERR_
ETYPE_NOSUPP
0xe 14 KDC has no support for encryption type  
KDC_ERR_SUMTYPE_NOSUPP 0xf 15 KDC has no support for checksum type  
KDC_ERR_
PADATA_TYPE_NOSUPP
0x10 16 KDC has no support for padata type  
KDC_ERR_TRTYPE_NOSUPP 0x11 17 KDC has no support for transited type  
KDC_ERR_
CLIENT_REVOKED
0x12 18 Clients credentials have been revoked This is due to a workstation restriction on the account, or a logon time restriction, or logon attempt outside logon hours, or accout disabled, expired, or locked out.
KDC_ERR_
SERVICE_REVOKED
0x13 19 Credentials for server have been revoked  
KDC_ERR_TGT_REVOKED 0x14 20 TGT has been revoked  
KDC_ERR_CLIENT_NOTYET 0x15 21 Client not yet valid - try again later  
KDC_ERR_
SERVICE_NOTYET
0x16 22 Server not yet valid - try again later  
KDC_ERR_KEY_
EXPIRED
0x17 23 Password has expired - change password to reset  
KDC_ERR_
PREAUTH_FAILED
0x18 24 Pre-authentication information was invalid Be sure to check time synchronization within your tree.
KDC_ERR_
PREAUTH_REQUIRED
0x19 25 Additional pre-authentication required  
KRB_AP_ERR_
BAD_INTEGRITY
0x1f 31 Integrity check on decrypted field failed  
KRB_AP_ERR_TKT_
EXPIRED
0x20 32 Ticket expired  
KRB_AP_ERR_TKT_NYV 0x21 33 Ticket not yet valid  
KRB_AP_ERR_REPEAT 0x22 34 Request is a replay  
KRB_AP_ERR_NOT_US 0x23 35 The ticket isn't for us  
KRB_AP_ERR_BADMATCH 0x24 36 Ticket and authenticator don't match  
KRB_AP_ERR_SKEW 0x25 37 Clock skew too great  
KRB_AP_ERR_BADADDR 0x26 38 Incorrect net address  
KRB_AP_ERR_
BADVERSION
0x27 39 Protocol version mismatch  
KRB_AP_ERR_MSG_TYPE 0x28 40 Invalid msg type  
KRB_AP_ERR_MODIFIED 0x29 41 Message stream modified  
KRB_AP_ERR_
BADORDER
0x2a 42 Message out of order  
KRB_AP_ERR_
BADKEYVER
0x2c 44 Specified version of key is not available  
KRB_AP_ERR_NOKEY 0x2d 45 Service key not available  
KRB_AP_ERR_MUT_FAIL 0x2e 46 Mutual authentication failed  
KRB_AP_ERR_
BADDIRECTION
0x2f 47 Incorrect message direction  
KRB_AP_ERR_METHOD 0x60 48 Alternative authentication method required*  
KRB_AP_ERR_BADSEQ 0x31 49 Incorrect sequence number in message  
KRB_AP_ERR_
INAPP_CKSUM
0x32 50 Inappropriate type of checksum in message  
KRB_ERR_GENERIC 0x3C 60 Generic error (description in e-text  
KRB_ERR_FIELD
_TOOLONG
0x3D 61 Field is too long for this implementation  


Would you like to discuss this object? Have a look at our Windows event forum or post a question there!

Analysis, monitoring, near-real-time alerting of the Windows event log can be done with by MonitorWare Agent.

All information in this section is to the best of our knowledge but without warrenty of any kind. This is free information - use it at your sole risk.

[Back to the Security Reference]


MonitorWare
 Home
 The Products
MonitorWare Products
Product Comparison
Which one to Purchase?
Order and Pricing
Upgrade Insurance Info
News Releases
Version History
MonitorWare Tools
 Event Repository
 Download
 Reference library
General Information
Step-by-step guides
 - All
 - Installation and Configuration
 - Services related
 - Actions related
 - Central Monitoring
Common Uses
Syslog configuration
Syslog Log Samples
Security Reference
 Help
Support
Manual
FAQ
 - All
 - General questions
 - Configurations related
 - Monitorware Agent
 - Monitorware Console
Articles
Seminars Online
 - All
 - General
 - MonitorWare Console
 - MonitorWare Agent
 - WinSyslog related
 - EventReporter
 Order & pricing
Order now
Product Comparison
Pricing Information
Upgrade Insurance Info
Local Reseller
 Contact Us
 Search
 
 



Printer Version Send this page to a friend

Copyright © 1988-2005 Adiscon GmbH All rights reserved.
Contact us via Secure Web Response | Privacy Policy
Topic Links: syslog | Free Weblinks Directory