kerberos

Kerberos Error Codes

Error codes defined by the Kerberos V5 network authentication protocol, as specified in RFC 4120. These codes appear in KRB-ERROR messages exchanged between clients, application servers, and the Key Distribution Centre.

68 codes

references rfc-editor.org/rfc/rfc4120

· All codes 68 codes

KDC_ERR_BAD_PVNO Requested protocol version number not supported The KDC does not support the protocol version number requested by the client. Kerberos V5 uses pvno 5.
KDC_ERR_BADOPTION KDC cannot accommodate requested option The KDC cannot fulfil a flag requested in the KDC-REQ, such as FORWARDABLE or PROXIABLE, because the option is not permitted or not available for this principal.
KDC_ERR_C_OLD_MAST_KVNO Client's key encrypted in old master key The client's key in the database is encrypted under an old master key version that the KDC no longer holds, preventing decryption of the client's credentials.
KDC_ERR_C_PRINCIPAL_UNKNOWN Client not found in Kerberos database The client principal named in the request does not exist in the KDC's database. This may indicate a misspelling or an account that has not been created.
KDC_ERR_CANNOT_POSTDATE Ticket not eligible for postdating The requested ticket cannot be postdated. Either the client or server's database entry does not permit postdated tickets, or the TGT used is not flagged as postdateable.
KDC_ERR_CANT_VERIFY_CERTIFICATE KDC cannot verify certificate The KDC is unable to verify the client's certificate, for example because the certificate chain leads to an untrusted or unavailable CA.
KDC_ERR_CERTIFICATE_MISMATCH Certificates do not match The certificate supplied in PKINIT pre-authentication does not match the principal's record in the KDC database.
KDC_ERR_CLIENT_NAME_MISMATCH PKINIT client name mismatch The client name in the PKINIT certificate does not match the client principal name in the AS-REQ. Both must identify the same entity.
KDC_ERR_CLIENT_NOT_TRUSTED Client is not trusted The client is not trusted by the KDC, typically in the context of PKINIT where the client's certificate or certificate chain could not be validated.
KDC_ERR_CLIENT_NOTYET Client not yet valid — try again later The client principal's account is not yet valid; it has a start time in the future. Authentication should be retried after that time has elapsed.
KDC_ERR_CLIENT_REVOKED Client's credentials have been revoked The client principal's credentials have been administratively revoked and can no longer be used for authentication.
KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type None of the encryption types listed in the client's request are supported by the KDC. The client and KDC must share at least one common encryption type.
KDC_ERR_INVALID_CERTIFICATE Received an invalid certificate The certificate submitted in a PKINIT request is structurally invalid, has an invalid signature, or contains fields that are inconsistent with the Kerberos protocol.
KDC_ERR_INVALID_SIG The signature is invalid A cryptographic signature in the request (for example, in PKINIT pre-authentication data) failed verification.
KDC_ERR_KDC_NAME_MISMATCH PKINIT KDC name mismatch The KDC name in the PKINIT certificate does not match the KDC's actual principal name. The client cannot verify that the KDC is the intended recipient.
KDC_ERR_KDC_NOT_TRUSTED KDC is not trusted The KDC is not trusted by the client, typically in the context of PKINIT where the KDC's certificate could not be validated against the client's trust anchors.
KDC_ERR_KEY_EXPIRED Password has expired The client's password or long-term key has expired. The client must change its password before authentication will succeed.
KDC_ERR_KEY_TOO_WEAK A higher encryption strength is required The encryption strength of the key or algorithm used in the request does not meet the KDC's minimum security requirements. A stronger key must be used.
KDC_ERR_MUST_USE_USER2USER Server principal valid for user-to-user only The server principal is configured for user-to-user authentication only. The client must use the ENC-TKT-IN-SKEY option and supply the server's TGT.
KDC_ERR_NAME_EXP Client's entry in database has expired The client principal's entry in the Kerberos database has expired. The principal must be renewed by an administrator before authentication can proceed.
KDC_ERR_NEVER_VALID Requested start time is later than end time The requested ticket's start time is after its end time, or the requested start time plus the minimum ticket lifetime exceeds the requested end time, making the ticket window invalid.
KDC_ERR_NONE No error No error occurred. This value is used when a KRB-ERROR message must be sent but no error condition applies.
KDC_ERR_NULL_KEY The client or server has a null key The client or server principal has a null (zero-length) key in the database. The principal's key must be set before authentication is possible.
KDC_ERR_PADATA_TYPE_NOSUPP KDC has no support for padata type The pre-authentication data type included in the request is not supported by the KDC. The client should retry using a padata type the KDC advertises.
KDC_ERR_PATH_NOT_ACCEPTED KDC policy rejected transited path The KDC rejected the transited-realm path in the ticket because it does not conform to the local realm-transit policy.
KDC_ERR_POLICY KDC policy rejects request The request violates a local KDC policy, such as restrictions on ticket lifetime, renewable tickets, forwarding, or permitted network addresses.
KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid The pre-authentication data supplied by the client failed verification. This commonly indicates an incorrect password or a clock skew that exceeds the permitted tolerance.
KDC_ERR_PREAUTH_REQUIRED Additional pre-authentication required The KDC requires pre-authentication before issuing a ticket for this principal. The error response includes the acceptable padata types so the client may retry.
KDC_ERR_PRINCIPAL_NOT_UNIQUE Multiple principal entries in database The principal name matches more than one entry in the KDC's database, making it impossible to select the correct record for authentication.
KDC_ERR_REVOCATION_STATUS_UNAVAILABLE Certificate revocation status unavailable The revocation status information for the submitted certificate is unavailable at this time. The request cannot be processed until revocation status can be confirmed.
KDC_ERR_REVOCATION_STATUS_UNKNOWN Certificate revocation status unknown The KDC cannot determine the revocation status of the certificate submitted in a PKINIT request, for example because the CRL or OCSP responder is unreachable.
KDC_ERR_REVOKED_CERTIFICATE Received a revoked certificate The certificate submitted in a PKINIT request has been revoked by the issuing Certificate Authority and cannot be accepted.
KDC_ERR_S_OLD_MAST_KVNO Server's key encrypted in old master key The server's key in the database is encrypted under an old master key version that the KDC no longer holds, preventing issuance of tickets for the service.
KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database The server principal named in the request does not exist in the KDC's database. The service principal may not have been registered or may have been misspelled.
KDC_ERR_SERVER_NOMATCH Requested server and ticket don't match The server principal specified in the TGS-REQ does not match the server named in the ticket presented. The client must obtain a ticket for the correct server.
KDC_ERR_SERVICE_EXP Server's entry in database has expired The server principal's entry in the Kerberos database has expired. The service principal must be renewed before clients can obtain tickets for it.
KDC_ERR_SERVICE_NOTYET Server not yet valid — try again later The server principal's account is not yet valid; it has a start time in the future. Clients cannot obtain tickets for this service until it becomes valid.
KDC_ERR_SERVICE_REVOKED Credentials for server have been revoked The server principal's credentials have been administratively revoked. Clients cannot obtain new tickets for this service until the credentials are reinstated.
KDC_ERR_SUMTYPE_NOSUPP KDC has no support for checksum type The checksum type requested by the client is not supported by the KDC. The client must use a checksum algorithm that the KDC recognises.
KDC_ERR_SVC_UNAVAILABLE A service is not available A component required to fulfil the request, such as a back-end database or auxiliary service, is temporarily unavailable.
KDC_ERR_TGT_REVOKED TGT has been revoked The ticket-granting ticket presented in a TGS-REQ has been revoked and is no longer valid. The client must obtain a new TGT via an AS-REQ.
KDC_ERR_TRTYPE_NOSUPP KDC has no support for transited type The KDC does not support the transited-realm encoding type specified in the ticket, and cannot validate the trust path through the listed realms.
KDC_ERR_WRONG_REALM Wrong realm The request was directed to the wrong realm. The client should resend the request to the KDC for the correct realm as indicated in the error.
KRB_AP_ERR_BAD_INTEGRITY Integrity check on decrypted field failed The integrity check on a decrypted message field failed, indicating that the data was corrupted in transit or that an incorrect key was used for decryption.
KRB_AP_ERR_BADADDR Incorrect net address The network address in the ticket does not match the address from which the request was received. The ticket may have been stolen or the client's address has changed.
KRB_AP_ERR_BADDIRECTION Incorrect message direction The direction flag in the message indicates it was sent in the wrong direction for the current context, suggesting a protocol sequencing error or replay.
KRB_AP_ERR_BADKEYVER Unsupported key version number The key version number (kvno) in the ticket does not match any key the server currently holds. The server may need its keytab refreshed.
KRB_AP_ERR_BADMATCH Ticket and authenticator don't match The client principal in the authenticator does not match the client principal in the ticket. The two fields must be identical.
KRB_AP_ERR_BADORDER Message out of order (possible tampering) A message was received out of the expected sequence order, which may indicate a replay or tampering attempt in a connection using sequence-number protection.
KRB_AP_ERR_BADVERSION Protocol version mismatch The protocol version number in the message does not match the version the server expects. Both parties must use the same Kerberos protocol version.
KRB_AP_ERR_ILL_CR_TKT Illegal cross-realm ticket The ticket presented was a cross-realm ticket that is not permitted in this context. The server does not accept tickets issued by the named foreign KDC.
KRB_AP_ERR_INAPP_CKSUM Inappropriate type of checksum in message The checksum type used in the authenticator or message is not appropriate for this context. Some operations require collision-proof checksums.
KRB_AP_ERR_METHOD Alternative authentication method required The server requires an alternative authentication method to that supplied by the client. The error data field indicates the required method.
KRB_AP_ERR_MODIFIED Message stream modified and checksum didn't match The checksum verification of a Kerberos message failed, indicating that the message was modified in transit. This may indicate a man-in-the-middle attack.
KRB_AP_ERR_MSG_TYPE Message type is unsupported The message type field in the Kerberos message contains a value that is not recognised or not supported by the recipient.
KRB_AP_ERR_MUT_FAIL Mutual authentication failed The client could not verify the server's identity during mutual authentication. The server's response did not contain the expected proof of possession of the session key.
KRB_AP_ERR_NO_TGT No TGT available to validate USER-TO-USER The client attempted user-to-user authentication but does not have a TGT available to provide to the server as required by the ENC-TKT-IN-SKEY mechanism.
KRB_AP_ERR_NOKEY Service key not available The server does not possess the key required to decrypt the ticket. The service principal may not have a keytab entry for the requested encryption type.
KRB_AP_ERR_NOT_US The ticket is not for us The server principal named in the ticket does not match the server that received it. The ticket was intended for a different service.
KRB_AP_ERR_REPEAT Request is a replay The authenticator presented has already been seen by the server within the replay cache window. This indicates a replay attack or a duplicate transmission.
KRB_AP_ERR_SKEW Clock skew too great The difference between the authenticator's timestamp and the server's clock exceeds the maximum permitted skew (typically five minutes). The clocks of client and server must be synchronised.
KRB_AP_ERR_TKT_EXPIRED Ticket expired The ticket presented by the client has passed its end time and is no longer valid. The client must obtain a new ticket.
KRB_AP_ERR_TKT_NYV Ticket not yet valid The ticket's start time is in the future; it is not yet valid. This may occur with postdated tickets that have not yet been validated.
KRB_AP_ERR_USER_TO_USER_REQUIRED User-to-user authentication required The server requires user-to-user authentication for this principal. The client must obtain the server's TGT and use it with the ENC-TKT-IN-SKEY option.
KRB_AP_PATH_NOT_ACCEPTED Policy rejects transited path The application server's local policy rejected the transited-realm path recorded in the ticket. The trust path through the listed realms is not acceptable.
KRB_ERR_FIELD_TOOLONG Field is too long for this implementation A field in the Kerberos message exceeds the maximum length supported by this implementation. The request cannot be processed as constructed.
KRB_ERR_GENERIC Generic error (description in e-text) A generic error occurred. Additional information describing the error is provided in the e-text field of the KRB-ERROR message.
KRB_ERR_RESPONSE_TOO_BIG Response too big for UDP; retry with TCP The KDC's response is too large to transmit over UDP. The client should retry the request using TCP to accommodate the larger message.