Kerberos Error Codes

Error codes defined by the Kerberos V5 network authentication protocol, as specified in RFC 4120. These codes appear in KRB-ERROR messages exchanged between clients, application servers, and the Key Distribution Centre.

68 codes

• KDC_ERR_BAD_PVNO Requested protocol version number not supported
• KDC_ERR_BADOPTION KDC cannot accommodate requested option
• KDC_ERR_C_OLD_MAST_KVNO Client's key encrypted in old master key
• KDC_ERR_C_PRINCIPAL_UNKNOWN Client not found in Kerberos database
• KDC_ERR_CANNOT_POSTDATE Ticket not eligible for postdating
• KDC_ERR_CANT_VERIFY_CERTIFICATE KDC cannot verify certificate
• KDC_ERR_CERTIFICATE_MISMATCH Certificates do not match
• KDC_ERR_CLIENT_NAME_MISMATCH PKINIT client name mismatch
• KDC_ERR_CLIENT_NOT_TRUSTED Client is not trusted
• KDC_ERR_CLIENT_NOTYET Client not yet valid — try again later
• KDC_ERR_CLIENT_REVOKED Client's credentials have been revoked
• KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type
• KDC_ERR_INVALID_CERTIFICATE Received an invalid certificate
• KDC_ERR_INVALID_SIG The signature is invalid
• KDC_ERR_KDC_NAME_MISMATCH PKINIT KDC name mismatch
• KDC_ERR_KDC_NOT_TRUSTED KDC is not trusted
• KDC_ERR_KEY_EXPIRED Password has expired
• KDC_ERR_KEY_TOO_WEAK A higher encryption strength is required
• KDC_ERR_MUST_USE_USER2USER Server principal valid for user-to-user only
• KDC_ERR_NAME_EXP Client's entry in database has expired
• KDC_ERR_NEVER_VALID Requested start time is later than end time
• KDC_ERR_NONE No error
• KDC_ERR_NULL_KEY The client or server has a null key
• KDC_ERR_PADATA_TYPE_NOSUPP KDC has no support for padata type
• KDC_ERR_PATH_NOT_ACCEPTED KDC policy rejected transited path
• KDC_ERR_POLICY KDC policy rejects request
• KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid
• KDC_ERR_PREAUTH_REQUIRED Additional pre-authentication required
• KDC_ERR_PRINCIPAL_NOT_UNIQUE Multiple principal entries in database
• KDC_ERR_REVOCATION_STATUS_UNAVAILABLE Certificate revocation status unavailable
• KDC_ERR_REVOCATION_STATUS_UNKNOWN Certificate revocation status unknown
• KDC_ERR_REVOKED_CERTIFICATE Received a revoked certificate
• KDC_ERR_S_OLD_MAST_KVNO Server's key encrypted in old master key
• KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database
• KDC_ERR_SERVER_NOMATCH Requested server and ticket don't match
• KDC_ERR_SERVICE_EXP Server's entry in database has expired
• KDC_ERR_SERVICE_NOTYET Server not yet valid — try again later
• KDC_ERR_SERVICE_REVOKED Credentials for server have been revoked
• KDC_ERR_SUMTYPE_NOSUPP KDC has no support for checksum type
• KDC_ERR_SVC_UNAVAILABLE A service is not available
• KDC_ERR_TGT_REVOKED TGT has been revoked
• KDC_ERR_TRTYPE_NOSUPP KDC has no support for transited type
• KDC_ERR_WRONG_REALM Wrong realm
• KRB_AP_ERR_BAD_INTEGRITY Integrity check on decrypted field failed
• KRB_AP_ERR_BADADDR Incorrect net address
• KRB_AP_ERR_BADDIRECTION Incorrect message direction
• KRB_AP_ERR_BADKEYVER Unsupported key version number
• KRB_AP_ERR_BADMATCH Ticket and authenticator don't match
• KRB_AP_ERR_BADORDER Message out of order (possible tampering)
• KRB_AP_ERR_BADVERSION Protocol version mismatch
• KRB_AP_ERR_ILL_CR_TKT Illegal cross-realm ticket
• KRB_AP_ERR_INAPP_CKSUM Inappropriate type of checksum in message
• KRB_AP_ERR_METHOD Alternative authentication method required
• KRB_AP_ERR_MODIFIED Message stream modified and checksum didn't match
• KRB_AP_ERR_MSG_TYPE Message type is unsupported
• KRB_AP_ERR_MUT_FAIL Mutual authentication failed
• KRB_AP_ERR_NO_TGT No TGT available to validate USER-TO-USER
• KRB_AP_ERR_NOKEY Service key not available
• KRB_AP_ERR_NOT_US The ticket is not for us
• KRB_AP_ERR_REPEAT Request is a replay
• KRB_AP_ERR_SKEW Clock skew too great
• KRB_AP_ERR_TKT_EXPIRED Ticket expired
• KRB_AP_ERR_TKT_NYV Ticket not yet valid
• KRB_AP_ERR_USER_TO_USER_REQUIRED User-to-user authentication required
• KRB_AP_PATH_NOT_ACCEPTED Policy rejects transited path
• KRB_ERR_FIELD_TOOLONG Field is too long for this implementation
• KRB_ERR_GENERIC Generic error (description in e-text)
• KRB_ERR_RESPONSE_TOO_BIG Response too big for UDP; retry with TCP