Windows event log entries often contain Kerberos failure codes (for an example, please see security event 676). These failure codes are the original error codes from the Kerberos RFC 1510 (see page 83 for the complete list).
For your convenience, we have extracted the error codes below and added some of our comments. Please note that in event log entries, a hexedicimal code is used (the number starts with 0x). Be sure to not mistakenly look up the decimal code below.
Error codes | ||||
Kerberos Error Label | Hex | Dec | Meaning or MIT code | Explanation |
KDC_ERR_NONE | 0x0 | 0 | No error | |
KDC_ERR_NAME_EXP | 0x1 | 1 | Client’s entry in database has expired | |
KDC_ERR_SERVICE_EXP | 0x2 | 2 | Server’s entry in database has expired | |
KDC_ERR_BAD_PVNO | 0x3 | 3 | Requested protocol version number not supported | |
KDC_ERR_C_ OLD_MAST_KVNO | 0x4 | 4 | Client’s key encrypted in oldmaster key | |
KDC_ERR_S_ OLD_MAST_KVNO | 0x5 | 5 | Server’s key encrypted in old master key | |
KDC_ERR_C_ PRINCIPAL_UNKNOWN | 0x6 | 6 | Client not found in Kerberos database |
|
KDC_ERR_S_ PRINCIPAL_UNKNOWN | 0x7 | 7 | Server not found in Kerberos database | Could be the same cause as error 6 above. |
KDC_ERR_ PRINCIPAL_NOT_UNIQUE | 0x8 | 8 | Multiple principal entries in database | |
KDC_ERR_NULL_KEY | 0x9 | 9 | The client or server has a null key | |
KDC_ERR_CANNOT_ POSTDATE | 0xa | 10 | Ticket not eligible for postdating | |
KDC_ERR_NEVER_VALID | 0xb | 11 | Requested start time is later than end time | |
KDC_ERR_POLICY | 0xc | 12 | KDC policy rejects request | |
KDC_ERR_BADOPTION | 0xd | 13 | KDC cannot accommodate requested option | |
KDC_ERR_ ETYPE_NOSUPP | 0xe | 14 | KDC has no support for encryption type | |
KDC_ERR_SUMTYPE_NOSUPP | 0xf | 15 | KDC has no support for checksum type | |
KDC_ERR_ PADATA_TYPE_NOSUPP | 0x10 | 16 | KDC has no support for padata type | |
KDC_ERR_TRTYPE_NOSUPP | 0x11 | 17 | KDC has no support for transited type | |
KDC_ERR_ CLIENT_REVOKED | 0x12 | 18 | Clients credentials have been revoked | This is due to a workstation restriction on the account, or a logon time restriction, or logon attempt outside logon hours, or accout disabled, expired, or locked out. |
KDC_ERR_ SERVICE_REVOKED | 0x13 | 19 | Credentials for server have been revoked | |
KDC_ERR_TGT_REVOKED | 0x14 | 20 | TGT has been revoked | |
KDC_ERR_CLIENT_NOTYET | 0x15 | 21 | Client not yet valid – try again later | |
KDC_ERR_ SERVICE_NOTYET | 0x16 | 22 | Server not yet valid – try again later | |
KDC_ERR_KEY_ EXPIRED | 0x17 | 23 | Password has expired – change password to reset | |
KDC_ERR_ PREAUTH_FAILED | 0x18 | 24 | Pre-authentication information was invalid | Be sure to check time synchronization within your tree. |
KDC_ERR_ PREAUTH_REQUIRED | 0x19 | 25 | Additional pre-authentication required | |
KRB_AP_ERR_ BAD_INTEGRITY | 0x1f | 31 | Integrity check on decrypted field failed | |
KRB_AP_ERR_TKT_ EXPIRED | 0x20 | 32 | Ticket expired | |
KRB_AP_ERR_TKT_NYV | 0x21 | 33 | Ticket not yet valid | |
KRB_AP_ERR_REPEAT | 0x22 | 34 | Request is a replay | |
KRB_AP_ERR_NOT_US | 0x23 | 35 | The ticket isn’t for us | |
KRB_AP_ERR_BADMATCH | 0x24 | 36 | Ticket and authenticator don’t match | |
KRB_AP_ERR_SKEW | 0x25 | 37 | Clock skew too great | |
KRB_AP_ERR_BADADDR | 0x26 | 38 | Incorrect net address | |
KRB_AP_ERR_ BADVERSION | 0x27 | 39 | Protocol version mismatch | |
KRB_AP_ERR_MSG_TYPE | 0x28 | 40 | Invalid msg type | |
KRB_AP_ERR_MODIFIED | 0x29 | 41 | Message stream modified | |
KRB_AP_ERR_ BADORDER | 0x2a | 42 | Message out of order | |
KRB_AP_ERR_ BADKEYVER | 0x2c | 44 | Specified version of key is not available | |
KRB_AP_ERR_NOKEY | 0x2d | 45 | Service key not available | |
KRB_AP_ERR_MUT_FAIL | 0x2e | 46 | Mutual authentication failed | |
KRB_AP_ERR_ BADDIRECTION | 0x2f | 47 | Incorrect message direction | |
KRB_AP_ERR_METHOD | 0x60 | 48 | Alternative authentication method required* | |
KRB_AP_ERR_BADSEQ | 0x31 | 49 | Incorrect sequence number in message | |
KRB_AP_ERR_ INAPP_CKSUM | 0x32 | 50 | Inappropriate type of checksum in message | |
KRB_ERR_GENERIC | 0x3C | 60 | Generic error (description in e-text | |
KRB_ERR_FIELD _TOOLONG | 0x3D | 61 | Field is too long for this implementation |
What are the various Kerberos error codes?