Overview #

Kerberos related error messages can appear on the authentication server KDC, the application server, at the user interface, or in network traces of Kerberos packets.

Often a generic message will be presented at the user interface. In some cases, an application written with GSS-API may return a numeric error message to the user instead of text messages.

More specific messages can be found in the logs on the authentication server or application server.

Kerberos errors that appear during a network trace are the GSS-API base error codes instead of the English translation of these codes.

When troubleshooting Kerberos issues related to the configuration steps in this document, the error messages that appear in logs on the authentication server and in network traces are usually more helpful than the messages the user receives at the user interface.

The text portion of error messages differ on Windows-based Active Directory servers and UNIX KDCs, but all are based on the same set of error codes defined in RFC 1510 which defines error codes in the number range of 1–61 (hex values 0x01 to 0x3D).

The error codes are subject to change. Since the creation of RFC 1510, a small number of additional error codes have been proposed. The currently defined error messages are listed below the values are listed in hexadecimal.

The Error codes are broken down as:

  • 0x1 through 0x1E come only from the KDC in response to an AS_REQ or TGS_REQ.
  • Other error codes may come from either the KDC or a program in response to an AP_REQ, KRB_PRIV, KRB_SAFE, or KRB_CRED.

Microsoft Active Directory#

On an Active Directory server, Kerberos error messages are found in the Event Log. It is necessary to enable extended Kerberos logging before all message types will appear. To enable extended Kerberos logging, add a DWORD registry entry of LogLevel in the following location, and set it to 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

The server must be started after this change before the logging will be implemented.

UNIX KDC#

On a UNIX KDC, the log or logs to which Kerberos Error Codes are written are defined in the krb5.conf file.

The logging configurations only apply to UNIX–based computers that are running KDCs, and thus, in the context of this document, only to End State 5—Cross-Realm Authentication.

More information about Kerberos error messages can be found in Appendix D: “Kerberos and LDAP Troubleshooting Tips,” of this guide and in the following document, “Troubleshooting Kerberos Errors,” available at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx. Information about some Kerberos troubleshooting tools is also available form Relevant Windows and UNIX Tools.

Kerberos Error Codes #

The following error codes in are returned only in response to local requests. These codes will not be returned in response to network requests.
ErrorError NameDescription
0x0KDC_ERR_NONENo error
0x1KDC_ERR_NAME_EXPClient's entry in KDC database has expired
0x2KDC_ERR_SERVICE_EXPServer's entry in KDC database has expired
0x3KDC_ERR_BAD_PVNORequested Kerberos version number not supported
0x4KDC_ERR_C_OLD_MAST_KVNOClient's key encrypted in old master key
0x5KDC_ERR_S_OLD_MAST_KVNOServer's key encrypted in old master key
0x6KDC_ERR_C_PRINCIPAL_UNKNOWNClient not found in Kerberos database
0x7KDC_ERR_S_PRINCIPAL_UNKNOWNServer not found in Kerberos database
0x8KDC_ERR_PRINCIPAL_NOT_UNIQUEMultiple principal entries in KDC database
0x9KDC_ERR_NULL_KEYThe client or server has a null key (master key)
0xAKDC_ERR_CANNOT_POSTDATETicket (TGT) not eligible for postdating
0xBKDC_ERR_NEVER_VALIDRequested start time is later than end time
0xCKDC_ERR_POLICYRequested start time is later than end time
0xDKDC_ERR_BADOPTIONKDC cannot accommodate requested option
0xEKDC_ERR_ETYPE_NOTSUPPKDC has no support for encryption type
0xFKDC_ERR_SUMTYPE_NOSUPPKDC has no support for checksum type
0x10KDC_ERR_PADATA_TYPE_NOSUPPKDC has no support for PADATA type (Kerberos Pre-Authentication data)
0x11KDC_ERR_TRTYPE_NO_SUPPKDC has no support for transited type
0x12KDC_ERR_CLIENT_REVOKEDClient’s credentials have been revoked
0x13KDC_ERR_SERVICE_REVOKEDCredentials for server have been revoked
0x14KDC_ERR_TGT_REVOKEDTGT has been revoked
0x15KDC_ERR_CLIENT_NOTYETClient not yet valid—try again later
0x16KDC_ERR_SERVICE_NOTYETServer not yet valid—try again later
0x17KDC_ERR_KEY_EXPIREDPassword has expired—change password to reset
0x18KDC_ERR_PREAUTH_FAILEDKerberos Pre-Authentication information was invalid
0x19KDC_ERR_PREAUTH_REQUIREDAdditional Kerberos Pre-Authentication required
0x1AKDC_ERR_SERVER_NOMATCHKDC does not know about the requested server
0x1BKDC_ERR_SVC_UNAVAILABLEKDC is unavailable
0x1FKRB_AP_ERR_BAD_INTEGRITYIntegrity check on decrypted field failed
0x20KRB_AP_ERR_TKT_EXPIREDThe ticket has expired
0x21KRB_AP_ERR_TKT_NYVThe ticket is not yet valid
0x22KRB_AP_ERR_REPEATThe request is a replay
0x23KRB_AP_ERR_NOT_USThe ticket is not for us
0x24KRB_AP_ERR_BADMATCHThe ticket and authenticator do not match
0x25KRB_AP_ERR_SKEWThe clock skew is too great
0x26KRB_AP_ERR_BADADDRNetwork address in network layer header doesn't match address inside ticket
0x27KRB_AP_ERR_BADVERSIONProtocol version numbers don't match (PVNO)
0x28KRB_AP_ERR_MSG_TYPEMessage type is unsupported
0x29KRB_AP_ERR_MODIFIEDMessage stream modified and checksum didn't match
0x2AKRB_AP_ERR_BADORDERMessage out of order (possible tampering)
0x2CKRB_AP_ERR_BADKEYVERSpecified version of key is not available
0x2DKRB_AP_ERR_NOKEYService key not available
0x2EKRB_AP_ERR_MUT_FAILMutual Authentication failed
0x2FKRB_AP_ERR_BADDIRECTIONIncorrect message direction
0x30KRB_AP_ERR_METHODAlternative authentication method required
0x31KRB_AP_ERR_BADSEQIncorrect sequence number in message
0x32KRB_AP_ERR_INAPP_CKSUMInappropriate type of checksum in message (checksum may be unsupported)
0x33KRB_AP_PATH_NOT_ACCEPTEDDesired path is unreachable
0x34KRB_ERR_RESPONSE_TOO_BIGToo much data
0x3CKRB_ERR_GENERICGeneric error; the description is in the e-data field
0x3DKRB_ERR_FIELD_TOOLONGField is too long for this implementation
0x3EKDC_ERR_CLIENT_NOT_TRUSTEDThe client trust failed or is not implemented
0x3FKDC_ERR_KDC_NOT_TRUSTEDThe KDC server trust failed or could not be verified
0x40KDC_ERR_INVALID_SIGThe signature is invalid
0x41KDC_ERR_KEY_TOO_WEAKA higher encryption level is needed
0x42KRB_AP_ERR_USER_TO_USER_REQUIREDUser-to-user authorization is required
0x43KRB_AP_ERR_NO_TGTNo TGT was presented or available
0x44KDC_ERR_WRONG_REALMIncorrect domain or principal

Windows-specific Responses #

Error|Error Name|Description
0x80000001KDC_ERR_MORE_DATAMore data is available
0x80000002KDC_ERR_NOT_RUNNINGThe Kerberos service is not running

More Information #

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-7) was last changed on 16-Jun-2016 15:13 by jim