!!! Overview
[{$pagename}] is a [Result Code] from [Kerberos] that implies something went wrong.
[Kerberos] related [Result Code] messages can appear on the authentication server [KDC], the application server, at the user interface, or in network traces of Kerberos packets.
Often a generic message will be presented at the user interface. In some cases, an application written with [GSS-API] may return a numeric error message to the user instead of text messages.
More specific messages can be found in the logs on the authentication server or application server.
Kerberos errors that appear during a [network] trace are the [GSSAPI] base error codes instead of the English translation of these codes.
When troubleshooting [Kerberos] issues related to the configuration steps in this document, the error messages that appear in logs on the authentication server and in network traces are usually more helpful than the messages the user receives at the user interface.
The text portion of error messages differ on Windows-based Active Directory servers and UNIX KDCs, but all are based on the same set of [error] Codes defined in [RFC 1510|http://www.ietf.org/rfc/rfc1510.txt] which defines error codes in the number range of 1–61 (hex values 0x01 to 0x3D).
The error codes are subject to change. Since the creation of [RFC 1510|http://www.ietf.org/rfc/rfc1510.txt], a small number of additional error codes have been proposed. The currently defined error messages are listed below the values are listed in [hexadecimal].
The Error codes are broken down as:
* 0x1 through 0x1E come only from the [KDC] in response to an [AS_REQ] or [TGS_REQ].
* Other error codes may come from either the [KDC] or a program in response to an AP_REQ, KRB_PRIV, KRB_SAFE, or KRB_CRED.
!! [Microsoft Active Directory]
On an Active Directory server, [Kerberos] error messages are found in the [Windows Event Log]. It is necessary to enable extended [Kerberos] [logging] before all message types will appear. To enable extended Kerberos logging, add a DWORD registry entry of LogLevel in the following location, and set it to 1:
{{{
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
}}}
The server must be started after this change before the logging will be implemented.
!! UNIX [KDC]
On a UNIX KDC, the log or logs to which [{$pagename}] are written are defined in the [krb5.conf] file.
The logging configurations only apply to UNIX–based computers that are running KDCs, and thus, in the context of this document, only to End State 5—Cross-Realm Authentication.
More information about Kerberos error messages can be found in Appendix D: “Kerberos and LDAP Troubleshooting Tips,” of this guide and in the following document, “Troubleshooting Kerberos Errors,” available at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx.
Information about some Kerberos troubleshooting tools is also available form [Relevant Windows and UNIX Tools.|http://technet.microsoft.com/en-us/library/bb463168.aspx|target='_blank']
!! [{$pagename}]
The following [error codes|Result Code] in are returned only in response to local requests. These codes will not be returned in response to network requests.
%%zebra-table
%%sortable
%%table-filter
||Error||Error Name||Description
|0x0|KDC_ERR_NONE|[No error|Success]
|0x1|KDC_ERR_NAME_EXP|Client's entry in [KDC] database has ([ERROR_ACCOUNT_EXPIRED])
|0x2|KDC_ERR_SERVICE_EXP|Server's entry in [KDC] database has expired ([ERROR_ACCOUNT_EXPIRED])
|0x3|KDC_ERR_BAD_PVNO|Requested [Kerberos] [version] number not supported
|0x4|KDC_ERR_C_OLD_MAST_KVNO|Client's key encrypted in old master key
|0x5|KDC_ERR_S_OLD_MAST_KVNO|Server's key encrypted in old master key
|0x6|KDC_ERR_C_PRINCIPAL_UNKNOWN|Client not found in Kerberos database
|0x7|KDC_ERR_S_PRINCIPAL_UNKNOWN|Server not found in Kerberos database
|0x8|KDC_ERR_PRINCIPAL_NOT_UNIQUE|Multiple principal entries in [KDC] database
|0x9|KDC_ERR_NULL_KEY|The client or server has a null key (master [key])
|0xA|KDC_ERR_CANNOT_POSTDATE|Ticket ([TGT]) not eligible for postdating
|0xB|KDC_ERR_NEVER_VALID|Requested start time is later than end time
|0xC|KDC_ERR_POLICY|Requested start time is later than end time
|0xD|KDC_ERR_BADOPTION|KDC cannot accommodate requested option
|0xE|KDC_ERR_ETYPE_NOTSUPP|KDC has no support for encryption type
|0xF|KDC_ERR_SUMTYPE_NOSUPP|KDC has no support for checksum type
|0x10|KDC_ERR_PADATA_TYPE_NOSUPP|KDC has no support for PADATA type ([Kerberos Pre-Authentication] data)
|0x11|KDC_ERR_TRTYPE_NO_SUPP|KDC has no support for transited type
|0x12|KDC_ERR_CLIENT_REVOKED|Client’s credentials have been revoked
|0x13|KDC_ERR_SERVICE_REVOKED|Credentials for server have been revoked
|0x14|KDC_ERR_TGT_REVOKED|TGT has been revoked
|0x15|KDC_ERR_CLIENT_NOTYET|Client not yet valid—try again later
|0x16|KDC_ERR_SERVICE_NOTYET|Server not yet valid—try again later
|0x17|KDC_ERR_KEY_EXPIRED|Password has expired—change password to reset ([Password Expired])
|0x18|KDC_ERR_PREAUTH_FAILED|[Kerberos Pre-Authentication] information was invalid
|0x19|KDC_ERR_PREAUTH_REQUIRED|Additional [Kerberos Pre-Authentication] required
|0x1A|KDC_ERR_SERVER_NOMATCH|[KDC] does not know about the requested server
|0x1B|KDC_ERR_SVC_UNAVAILABLE|[KDC] is unavailable
|0x1F|KRB_AP_ERR_BAD_INTEGRITY|[Integrity] check on decrypted field failed
|0x20|KRB_AP_ERR_TKT_EXPIRED|The ticket has expired
|0x21|KRB_AP_ERR_TKT_NYV|The ticket is not yet valid
|0x22|KRB_AP_ERR_REPEAT|The request is a replay
|0x23|KRB_AP_ERR_NOT_US|The ticket is not for us
|0x24|KRB_AP_ERR_BADMATCH|The ticket and authenticator do not match
|0x25|KRB_AP_ERR_SKEW|The [clock skew] is too great
|0x26|KRB_AP_ERR_BADADDR|[Network address] in network layer header doesn't match address inside ticket
|0x27|KRB_AP_ERR_BADVERSION|Protocol version numbers don't match (PVNO)
|0x28|KRB_AP_ERR_MSG_TYPE|Message type is unsupported
|0x29|KRB_AP_ERR_MODIFIED|Message stream modified and checksum didn't match
|0x2A|KRB_AP_ERR_BADORDER|Message out of order (possible tampering)
|0x2C|KRB_AP_ERR_BADKEYVER|Specified version of key is not available
|0x2D|KRB_AP_ERR_NOKEY|Service key not available
|0x2E|KRB_AP_ERR_MUT_FAIL|[Mutual Authentication] failed
|0x2F|KRB_AP_ERR_BADDIRECTION|Incorrect message direction
|0x30|KRB_AP_ERR_METHOD|Alternative authentication method required (Usually same as [LDAP_STRONG_AUTH_REQUIRED])
|0x31|KRB_AP_ERR_BADSEQ|Incorrect sequence number in message
|0x32|KRB_AP_ERR_INAPP_CKSUM|Inappropriate type of [checksum] in message (checksum may be unsupported)
|0x33|KRB_AP_PATH_NOT_ACCEPTED|Desired path is unreachable
|0x34|KRB_ERR_RESPONSE_TOO_BIG|Too much data
|0x3C|KRB_ERR_GENERIC|Generic error; the description is in the e-data field
|0x3D|KRB_ERR_FIELD_TOOLONG|Field is too long for this implementation
|0x3E|KDC_ERR_CLIENT_NOT_TRUSTED|The client trust failed or is not implemented
|0x3F|KDC_ERR_KDC_NOT_TRUSTED|The [KDC] server [trust] failed or could not be verified
|0x40|KDC_ERR_INVALID_SIG|The [signature|Digital Signature] is invalid
|0x41|KDC_ERR_KEY_TOO_WEAK|A higher [encryption] level is needed (Usually same as [LDAP_STRONG_AUTH_REQUIRED])
|0x42|KRB_AP_ERR_USER_TO_USER_REQUIRED|User-to-user [authorization] is required
|0x43|KRB_AP_ERR_NO_TGT|No [TGT] was presented or available
|0x44|KDC_ERR_WRONG_REALM|Incorrect [domain] or [principal] ([Kerberos Realm])
/%
/%
/%
!! Windows-specific Responses
%%zebra-table
%%sortable
%%table-filter
Error|Error Name|Description
|0x80000001|KDC_ERR_MORE_DATA|More data is available
|0x80000002|KDC_ERR_NOT_RUNNING|The Kerberos service is not running
/%
/%
/%
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Kerberos and LDAP Error Messages|http://technet.microsoft.com/en-us/library/bb463166.aspx|target='_blank'] - based on 2013-11-12