{"id":1255,"date":"2011-04-18T14:49:40","date_gmt":"2011-04-18T13:49:40","guid":{"rendered":"http:\/\/mccltd.net\/blog\/?p=1255"},"modified":"2011-04-18T14:49:40","modified_gmt":"2011-04-18T13:49:40","slug":"kerberos-rfc1510-failure-codes","status":"publish","type":"post","link":"http:\/\/darenmatthews.com\/blog\/?p=1255","title":{"rendered":"Kerberos (RFC1510) Failure Codes"},"content":{"rendered":"<p>These failure codes  are the original error codes from the Kerberos <a href=\"http:\/\/www.rfc-editor.org\/rfc\/rfc1510.txt\">RFC 1510<\/a> <!--more--><\/p>\n<table border=\"1\" width=\"100%\">\n<tbody>\n<tr>\n<td colspan=\"5\">\n<h3>Error codes<\/h3>\n<\/td>\n<\/tr>\n<tr>\n<td><strong>Kerberos<br \/>\nError Label<\/strong><\/td>\n<td><strong>Hex<\/strong><\/td>\n<td><strong>Dec<\/strong><\/td>\n<td><strong>Meaning or MIT code<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_NONE<\/td>\n<td>0x0<\/td>\n<td>0<\/td>\n<td>No error<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_NAME_EXP<\/td>\n<td>0x1<\/td>\n<td>1<\/td>\n<td>Client&#8217;s entry in database has expired<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_SERVICE_EXP<\/td>\n<td>0x2<\/td>\n<td>2<\/td>\n<td>Server&#8217;s entry in database has expired<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_BAD_PVNO<\/td>\n<td>0x3<\/td>\n<td>3<\/td>\n<td>Requested protocol version number not supported<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_C_<br \/>\nOLD_MAST_KVNO<\/td>\n<td>0x4<\/td>\n<td>4<\/td>\n<td>Client&#8217;s key encrypted in oldmaster key<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_S_<br \/>\nOLD_MAST_KVNO<\/td>\n<td>0x5<\/td>\n<td>5<\/td>\n<td>Server&#8217;s key encrypted in old master key<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\">KDC_ERR_C_<br \/>\nPRINCIPAL_UNKNOWN<\/td>\n<td valign=\"top\">0x6<\/td>\n<td valign=\"top\">6<\/td>\n<td valign=\"top\">Client not found in Kerberos database<\/td>\n<td>\n<ul>\n<li>We have seen this code when Active Directory replication does not work correctly. In this  case, it is possible that e.g. a computer account joins the domain using one DC. Then, this information  is not replicated within AD. If the computer then tries to authenticate to another DC, it is not found  there, resulting in this error code.<\/li>\n<li>Also, make sure time synchronization between DCs is working well.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_S_<br \/>\nPRINCIPAL_UNKNOWN<\/td>\n<td>0x7<\/td>\n<td>7<\/td>\n<td>Server not found in Kerberos database<\/td>\n<td>Could be the same cause as error 6 above.<\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_<br \/>\nPRINCIPAL_NOT_UNIQUE<\/td>\n<td>0x8<\/td>\n<td>8<\/td>\n<td>Multiple principal entries in database<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_NULL_KEY<\/td>\n<td>0x9<\/td>\n<td>9<\/td>\n<td>The client or server has a null key<\/td>\n<td style=\"width: 203pt;\"><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_CANNOT_<br \/>\nPOSTDATE<\/td>\n<td>0xa<\/td>\n<td>10<\/td>\n<td>Ticket not eligible for postdating<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_NEVER_VALID<\/td>\n<td>0xb<\/td>\n<td>11<\/td>\n<td>Requested start time is later than end time<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_POLICY<\/td>\n<td>0xc<\/td>\n<td>12<\/td>\n<td>KDC policy rejects request<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_BADOPTION<\/td>\n<td>0xd<\/td>\n<td>13<\/td>\n<td>KDC cannot accommodate requested option<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_<br \/>\nETYPE_NOSUPP<\/td>\n<td>0xe<\/td>\n<td>14<\/td>\n<td>KDC has no support for encryption type<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_SUMTYPE_NOSUPP<\/td>\n<td>0xf<\/td>\n<td>15<\/td>\n<td>KDC has no support for checksum type<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_<br \/>\nPADATA_TYPE_NOSUPP<\/td>\n<td>0x10<\/td>\n<td>16<\/td>\n<td>KDC has no support for padata type<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_TRTYPE_NOSUPP<\/td>\n<td>0x11<\/td>\n<td>17<\/td>\n<td>KDC has no support for transited type<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\">KDC_ERR_<br \/>\nCLIENT_REVOKED<\/td>\n<td valign=\"top\">0x12<\/td>\n<td valign=\"top\">18<\/td>\n<td valign=\"top\">Clients credentials have been revoked<\/td>\n<td>This is due to a workstation restriction on the account, or a logon  time restriction, or logon attempt outside logon hours, or accout  disabled, expired, or locked out.<\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_<br \/>\nSERVICE_REVOKED<\/td>\n<td>0x13<\/td>\n<td>19<\/td>\n<td>Credentials for server have been revoked<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_TGT_REVOKED<\/td>\n<td>0x14<\/td>\n<td>20<\/td>\n<td>TGT has been revoked<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_CLIENT_NOTYET<\/td>\n<td>0x15<\/td>\n<td>21<\/td>\n<td>Client not yet valid &#8211; try again later<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_<br \/>\nSERVICE_NOTYET<\/td>\n<td>0x16<\/td>\n<td>22<\/td>\n<td>Server not yet valid &#8211; try again later<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_KEY_<br \/>\nEXPIRED<\/td>\n<td>0x17<\/td>\n<td>23<\/td>\n<td>Password has expired &#8211; change password to reset<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_<br \/>\nPREAUTH_FAILED<\/td>\n<td>0x18<\/td>\n<td>24<\/td>\n<td>Pre-authentication information was invalid<\/td>\n<td>Be sure to check time synchronization within your tree.<\/td>\n<\/tr>\n<tr>\n<td>KDC_ERR_<br \/>\nPREAUTH_REQUIRED<\/td>\n<td>0x19<\/td>\n<td>25<\/td>\n<td>Additional pre-authentication required<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_<br \/>\nBAD_INTEGRITY<\/td>\n<td>0x1f<\/td>\n<td>31<\/td>\n<td>Integrity check on decrypted field failed<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_TKT_<br \/>\nEXPIRED<\/td>\n<td>0x20<\/td>\n<td>32<\/td>\n<td>Ticket expired<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_TKT_NYV<\/td>\n<td>0x21<\/td>\n<td>33<\/td>\n<td>Ticket not yet valid<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_REPEAT<\/td>\n<td>0x22<\/td>\n<td>34<\/td>\n<td>Request is a replay<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_NOT_US<\/td>\n<td>0x23<\/td>\n<td>35<\/td>\n<td>The ticket isn&#8217;t for us<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_BADMATCH<\/td>\n<td>0x24<\/td>\n<td>36<\/td>\n<td>Ticket and authenticator don&#8217;t match<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_SKEW<\/td>\n<td>0x25<\/td>\n<td>37<\/td>\n<td>Clock skew too great<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_BADADDR<\/td>\n<td>0x26<\/td>\n<td>38<\/td>\n<td>Incorrect net address<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_<br \/>\nBADVERSION<\/td>\n<td>0x27<\/td>\n<td>39<\/td>\n<td>Protocol version mismatch<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_MSG_TYPE<\/td>\n<td>0x28<\/td>\n<td>40<\/td>\n<td>Invalid msg type<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_MODIFIED<\/td>\n<td>0x29<\/td>\n<td>41<\/td>\n<td>Message stream modified<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_<br \/>\nBADORDER<\/td>\n<td>0x2a<\/td>\n<td>42<\/td>\n<td>Message out of order<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_<br \/>\nBADKEYVER<\/td>\n<td>0x2c<\/td>\n<td>44<\/td>\n<td>Specified version of key is not available<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_NOKEY<\/td>\n<td>0x2d<\/td>\n<td>45<\/td>\n<td>Service key not available<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_MUT_FAIL<\/td>\n<td>0x2e<\/td>\n<td>46<\/td>\n<td>Mutual authentication failed<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_<br \/>\nBADDIRECTION<\/td>\n<td>0x2f<\/td>\n<td>47<\/td>\n<td>Incorrect message direction<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_METHOD<\/td>\n<td>0x60<\/td>\n<td>48<\/td>\n<td>Alternative authentication method required*<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_BADSEQ<\/td>\n<td>0x31<\/td>\n<td>49<\/td>\n<td>Incorrect sequence number in message<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_AP_ERR_<br \/>\nINAPP_CKSUM<\/td>\n<td>0x32<\/td>\n<td>50<\/td>\n<td>Inappropriate type of checksum in message<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_ERR_GENERIC<\/td>\n<td>0x3C<\/td>\n<td>60<\/td>\n<td>Generic error (description in e-text<\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>KRB_ERR_FIELD<br \/>\n_TOOLONG<\/td>\n<td>0x3D<\/td>\n<td>61<\/td>\n<td>Field is too long for this implementation<\/td>\n<td><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<p><span style=\"color: red;\"><strong> <\/strong><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>These failure codes are the original error codes from the Kerberos RFC 1510<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[10],"tags":[54],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1255"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1255"}],"version-history":[{"count":2,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1255\/revisions"}],"predecessor-version":[{"id":1257,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1255\/revisions\/1257"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1255"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1255"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1255"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}