Overview #
Kerberos Error Codes is a Result Code from Kerberos that implies something went wrong.Kerberos related Result Code messages can appear on the authentication server KDC, the application server, at the user interface, or in network traces of Kerberos packets.
Often a generic message will be presented at the user interface. In some cases, an application written with GSS-API may return a numeric error message to the user instead of text messages.
More specific messages can be found in the logs on the authentication server or application server.
Kerberos errors that appear during a network trace are the GSSAPI base error codes instead of the English translation of these codes.
When troubleshooting Kerberos issues related to the configuration steps in this document, the error messages that appear in logs on the authentication server and in network traces are usually more helpful than the messages the user receives at the user interface.
The text portion of error messages differ on Windows-based Active Directory servers and UNIX KDCs, but all are based on the same set of error Codes defined in RFC 1510
which defines error codes in the number range of 1–61 (hex values 0x01 to 0x3D).
The error codes are subject to change. Since the creation of RFC 1510, a small number of additional error codes have been proposed. The currently defined error messages are listed below the values are listed in hexadecimal.
The Error codes are broken down as:
- 0x1 through 0x1E come only from the KDC in response to an AS_REQ or TGS_REQ.
- Other error codes may come from either the KDC or a program in response to an AP_REQ, KRB_PRIV, KRB_SAFE, or KRB_CRED.
Microsoft Active Directory#
On an Active Directory server, Kerberos error messages are found in the Windows Event Log. It is necessary to enable extended Kerberos logging before all message types will appear. To enable extended Kerberos logging, add a DWORD registry entry of LogLevel in the following location, and set it to 1:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
The server must be started after this change before the logging will be implemented.
UNIX KDC#
On a UNIX KDC, the log or logs to which Kerberos Error Codes are written are defined in the krb5.conf file.The logging configurations only apply to UNIX–based computers that are running KDCs, and thus, in the context of this document, only to End State 5—Cross-Realm Authentication.
More information about Kerberos error messages can be found in Appendix D: “Kerberos and LDAP Troubleshooting Tips,” of this guide and in the following document, “Troubleshooting Kerberos Errors,” available at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx.
Information about some Kerberos troubleshooting tools is also available form Relevant Windows and UNIX Tools.
Kerberos Error Codes #
The following error codes in are returned only in response to local requests. These codes will not be returned in response to network requests.| Error | Error Name | Description |
|---|---|---|
| 0x0 | KDC_ERR_NONE | No error |
| 0x1 | KDC_ERR_NAME_EXP | Client's entry in KDC database has (ERROR_ACCOUNT_EXPIRED) |
| 0x2 | KDC_ERR_SERVICE_EXP | Server's entry in KDC database has expired (ERROR_ACCOUNT_EXPIRED) |
| 0x3 | KDC_ERR_BAD_PVNO | Requested Kerberos version number not supported |
| 0x4 | KDC_ERR_C_OLD_MAST_KVNO | Client's key encrypted in old master key |
| 0x5 | KDC_ERR_S_OLD_MAST_KVNO | Server's key encrypted in old master key |
| 0x6 | KDC_ERR_C_PRINCIPAL_UNKNOWN | Client not found in Kerberos database |
| 0x7 | KDC_ERR_S_PRINCIPAL_UNKNOWN | Server not found in Kerberos database |
| 0x8 | KDC_ERR_PRINCIPAL_NOT_UNIQUE | Multiple principal entries in KDC database |
| 0x9 | KDC_ERR_NULL_KEY | The client or server has a null key (master key) |
| 0xA | KDC_ERR_CANNOT_POSTDATE | Ticket (TGT) not eligible for postdating |
| 0xB | KDC_ERR_NEVER_VALID | Requested start time is later than end time |
| 0xC | KDC_ERR_POLICY | Requested start time is later than end time |
| 0xD | KDC_ERR_BADOPTION | KDC cannot accommodate requested option |
| 0xE | KDC_ERR_ETYPE_NOTSUPP | KDC has no support for encryption type |
| 0xF | KDC_ERR_SUMTYPE_NOSUPP | KDC has no support for checksum type |
| 0x10 | KDC_ERR_PADATA_TYPE_NOSUPP | KDC has no support for PADATA type (Kerberos Pre-Authentication data) |
| 0x11 | KDC_ERR_TRTYPE_NO_SUPP | KDC has no support for transited type |
| 0x12 | KDC_ERR_CLIENT_REVOKED | Client’s credentials have been revoked |
| 0x13 | KDC_ERR_SERVICE_REVOKED | Credentials for server have been revoked |
| 0x14 | KDC_ERR_TGT_REVOKED | TGT has been revoked |
| 0x15 | KDC_ERR_CLIENT_NOTYET | Client not yet valid—try again later |
| 0x16 | KDC_ERR_SERVICE_NOTYET | Server not yet valid—try again later |
| 0x17 | KDC_ERR_KEY_EXPIRED | Password has expired—change password to reset (Password Expired) |
| 0x18 | KDC_ERR_PREAUTH_FAILED | Kerberos Pre-Authentication information was invalid |
| 0x19 | KDC_ERR_PREAUTH_REQUIRED | Additional Kerberos Pre-Authentication required |
| 0x1A | KDC_ERR_SERVER_NOMATCH | KDC does not know about the requested server |
| 0x1B | KDC_ERR_SVC_UNAVAILABLE | KDC is unavailable |
| 0x1F | KRB_AP_ERR_BAD_INTEGRITY | Integrity check on decrypted field failed |
| 0x20 | KRB_AP_ERR_TKT_EXPIRED | The ticket has expired |
| 0x21 | KRB_AP_ERR_TKT_NYV | The ticket is not yet valid |
| 0x22 | KRB_AP_ERR_REPEAT | The request is a replay |
| 0x23 | KRB_AP_ERR_NOT_US | The ticket is not for us |
| 0x24 | KRB_AP_ERR_BADMATCH | The ticket and authenticator do not match |
| 0x25 | KRB_AP_ERR_SKEW | The clock skew is too great |
| 0x26 | KRB_AP_ERR_BADADDR | Network address in network layer header doesn't match address inside ticket |
| 0x27 | KRB_AP_ERR_BADVERSION | Protocol version numbers don't match (PVNO) |
| 0x28 | KRB_AP_ERR_MSG_TYPE | Message type is unsupported |
| 0x29 | KRB_AP_ERR_MODIFIED | Message stream modified and checksum didn't match |
| 0x2A | KRB_AP_ERR_BADORDER | Message out of order (possible tampering) |
| 0x2C | KRB_AP_ERR_BADKEYVER | Specified version of key is not available |
| 0x2D | KRB_AP_ERR_NOKEY | Service key not available |
| 0x2E | KRB_AP_ERR_MUT_FAIL | Mutual Authentication failed |
| 0x2F | KRB_AP_ERR_BADDIRECTION | Incorrect message direction |
| 0x30 | KRB_AP_ERR_METHOD | Alternative authentication method required (Usually same as LDAP_STRONG_AUTH_REQUIRED) |
| 0x31 | KRB_AP_ERR_BADSEQ | Incorrect sequence number in message |
| 0x32 | KRB_AP_ERR_INAPP_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) |
| 0x33 | KRB_AP_PATH_NOT_ACCEPTED | Desired path is unreachable |
| 0x34 | KRB_ERR_RESPONSE_TOO_BIG | Too much data |
| 0x3C | KRB_ERR_GENERIC | Generic error; the description is in the e-data field |
| 0x3D | KRB_ERR_FIELD_TOOLONG | Field is too long for this implementation |
| 0x3E | KDC_ERR_CLIENT_NOT_TRUSTED | The client trust failed or is not implemented |
| 0x3F | KDC_ERR_KDC_NOT_TRUSTED | The KDC server trust failed or could not be verified |
| 0x40 | KDC_ERR_INVALID_SIG | The signature is invalid |
| 0x41 | KDC_ERR_KEY_TOO_WEAK | A higher encryption level is needed (Usually same as LDAP_STRONG_AUTH_REQUIRED) |
| 0x42 | KRB_AP_ERR_USER_TO_USER_REQUIRED | User-to-user authorization is required |
| 0x43 | KRB_AP_ERR_NO_TGT | No TGT was presented or available |
| 0x44 | KDC_ERR_WRONG_REALM | Incorrect domain or principal (Kerberos Realm) |
Windows-specific Responses #
| 0x80000001 | KDC_ERR_MORE_DATA | More data is available |
| 0x80000002 | KDC_ERR_NOT_RUNNING | The Kerberos service is not running |
More Information #
There might be more information for this subject on one of the following:- [#1] - Kerberos and LDAP Error Messages - based on 2013-11-12