Kerberos (RFC1510) Failure Codes
April 18th, 2011
These failure codes are the original error codes from the Kerberos RFC 1510
Error codes |
||||
| Kerberos Error Label |
Hex | Dec | Meaning or MIT code | Description |
| KDC_ERR_NONE | 0x0 | 0 | No error | |
| KDC_ERR_NAME_EXP | 0x1 | 1 | Client’s entry in database has expired | |
| KDC_ERR_SERVICE_EXP | 0x2 | 2 | Server’s entry in database has expired | |
| KDC_ERR_BAD_PVNO | 0x3 | 3 | Requested protocol version number not supported | |
| KDC_ERR_C_ OLD_MAST_KVNO |
0x4 | 4 | Client’s key encrypted in oldmaster key | |
| KDC_ERR_S_ OLD_MAST_KVNO |
0x5 | 5 | Server’s key encrypted in old master key | |
| KDC_ERR_C_ PRINCIPAL_UNKNOWN |
0x6 | 6 | Client not found in Kerberos database |
|
| KDC_ERR_S_ PRINCIPAL_UNKNOWN |
0x7 | 7 | Server not found in Kerberos database | Could be the same cause as error 6 above. |
| KDC_ERR_ PRINCIPAL_NOT_UNIQUE |
0x8 | 8 | Multiple principal entries in database | |
| KDC_ERR_NULL_KEY | 0x9 | 9 | The client or server has a null key | |
| KDC_ERR_CANNOT_ POSTDATE |
0xa | 10 | Ticket not eligible for postdating | |
| KDC_ERR_NEVER_VALID | 0xb | 11 | Requested start time is later than end time | |
| KDC_ERR_POLICY | 0xc | 12 | KDC policy rejects request | |
| KDC_ERR_BADOPTION | 0xd | 13 | KDC cannot accommodate requested option | |
| KDC_ERR_ ETYPE_NOSUPP |
0xe | 14 | KDC has no support for encryption type | |
| KDC_ERR_SUMTYPE_NOSUPP | 0xf | 15 | KDC has no support for checksum type | |
| KDC_ERR_ PADATA_TYPE_NOSUPP |
0x10 | 16 | KDC has no support for padata type | |
| KDC_ERR_TRTYPE_NOSUPP | 0x11 | 17 | KDC has no support for transited type | |
| KDC_ERR_ CLIENT_REVOKED |
0x12 | 18 | Clients credentials have been revoked | This is due to a workstation restriction on the account, or a logon time restriction, or logon attempt outside logon hours, or accout disabled, expired, or locked out. |
| KDC_ERR_ SERVICE_REVOKED |
0x13 | 19 | Credentials for server have been revoked | |
| KDC_ERR_TGT_REVOKED | 0x14 | 20 | TGT has been revoked | |
| KDC_ERR_CLIENT_NOTYET | 0x15 | 21 | Client not yet valid – try again later | |
| KDC_ERR_ SERVICE_NOTYET |
0x16 | 22 | Server not yet valid – try again later | |
| KDC_ERR_KEY_ EXPIRED |
0x17 | 23 | Password has expired – change password to reset | |
| KDC_ERR_ PREAUTH_FAILED |
0x18 | 24 | Pre-authentication information was invalid | Be sure to check time synchronization within your tree. |
| KDC_ERR_ PREAUTH_REQUIRED |
0x19 | 25 | Additional pre-authentication required | |
| KRB_AP_ERR_ BAD_INTEGRITY |
0x1f | 31 | Integrity check on decrypted field failed | |
| KRB_AP_ERR_TKT_ EXPIRED |
0x20 | 32 | Ticket expired | |
| KRB_AP_ERR_TKT_NYV | 0x21 | 33 | Ticket not yet valid | |
| KRB_AP_ERR_REPEAT | 0x22 | 34 | Request is a replay | |
| KRB_AP_ERR_NOT_US | 0x23 | 35 | The ticket isn’t for us | |
| KRB_AP_ERR_BADMATCH | 0x24 | 36 | Ticket and authenticator don’t match | |
| KRB_AP_ERR_SKEW | 0x25 | 37 | Clock skew too great | |
| KRB_AP_ERR_BADADDR | 0x26 | 38 | Incorrect net address | |
| KRB_AP_ERR_ BADVERSION |
0x27 | 39 | Protocol version mismatch | |
| KRB_AP_ERR_MSG_TYPE | 0x28 | 40 | Invalid msg type | |
| KRB_AP_ERR_MODIFIED | 0x29 | 41 | Message stream modified | |
| KRB_AP_ERR_ BADORDER |
0x2a | 42 | Message out of order | |
| KRB_AP_ERR_ BADKEYVER |
0x2c | 44 | Specified version of key is not available | |
| KRB_AP_ERR_NOKEY | 0x2d | 45 | Service key not available | |
| KRB_AP_ERR_MUT_FAIL | 0x2e | 46 | Mutual authentication failed | |
| KRB_AP_ERR_ BADDIRECTION |
0x2f | 47 | Incorrect message direction | |
| KRB_AP_ERR_METHOD | 0x60 | 48 | Alternative authentication method required* | |
| KRB_AP_ERR_BADSEQ | 0x31 | 49 | Incorrect sequence number in message | |
| KRB_AP_ERR_ INAPP_CKSUM |
0x32 | 50 | Inappropriate type of checksum in message | |
| KRB_ERR_GENERIC | 0x3C | 60 | Generic error (description in e-text | |
| KRB_ERR_FIELD _TOOLONG |
0x3D | 61 | Field is too long for this implementation | |
