Appendix C: Kerberos and LDAP Error Messages
.gif){kind=icon}
Kerberos Error Messages
LDAP Error Messages
Kerberos-related error messages can appear on the authentication server (KDC), the application server, at the user interface, or in network traces of Kerberos packets. Often a generic message will be presented at the user interface. In some cases, an application written with GSS-API may return a numeric error message to the user instead of text messages. More specific messages can be found in the logs on the authentication server or application server. Kerberos errors that appear during a network trace are the GSS-API base error codes instead of the English translation of these codes. When troubleshooting Kerberos issues related to the configuration steps in this document, the error messages that appear in logs on the authentication server and in network traces are usually more helpful than the messages the user receives at the user interface.
The text portion of error messages differ on Windows-based Active Directory servers and UNIX KDCs, but all are based on the same set of error codes defined in RFC 1510, “The Kerberos Network Authentication Service Version 5,” section 8.3. This RFC defines error codes in the number range of 1–61 (hex values 0x01 to 0x3D) and is available at https://www.ietf.org/rfc/rfc1510.txt.
The error codes are subject to change. Since the creation of RFC 1510, a small number of additional error codes have been proposed. The currently defined error messages are listed in Table C.1. The values are listed in hexadecimal. Error codes 0x1 through 0x1E come only from the KDC in response to an AS_REQ or TGS_REQ. Other error codes may come from either the KDC or a program in response to an AP_REQ, KRB_PRIV, KRB_SAFE, or KRB_CRED.
On an Active Directory server, Kerberos error messages are found in the Event Log. It is necessary to enable extended Kerberos logging before all message types will appear. To enable extended Kerberos logging, add a DWORD registry entry of LogLevel in the following location, and set it to 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
The server must be started after this change before the logging will be implemented.
On a UNIX KDC, the log or logs to which Kerberos error messages are written are defined in the krb5.conf file. These logging configurations only apply to UNIX–based computers that are running KDCs, and thus, in the context of this document, only to End State 5—Cross-Realm Authentication.
More information about Kerberos error messages can be found in Appendix D: “Kerberos and LDAP Troubleshooting Tips,” of this guide and in the following document, “Troubleshooting Kerberos Errors,” available at https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx.
Information about Kerberos troubleshooting tools is also available in Appendix E: “Relevant Windows and UNIX Tools.”
Table C.1. Kerberos Error Messages
Error |
Error Name |
Description |
|---|---|---|
0x0 |
KDC_ERR_NONE |
No error |
0x1 |
KDC_ERR_NAME_EXP |
Client's entry in KDC database has expired |
0x2 |
KDC_ERR_SERVICE_EXP |
Server's entry in KDC database has expired |
0x3 |
KDC_ERR_BAD_PVNO |
Requested Kerberos version number not supported |
0x4 |
KDC_ERR_C_OLD_MAST_KVNO |
Client's key encrypted in old master key |
0x5 |
KDC_ERR_S_OLD_MAST_KVNO |
Server's key encrypted in old master key |
0x6 |
KDC_ERR_C_PRINCIPAL_UNKNOWN |
Client not found in Kerberos database |
0x7 |
KDC_ERR_S_PRINCIPAL_UNKNOWN |
Server not found in Kerberos database |
0x8 |
KDC_ERR_PRINCIPAL_NOT_UNIQUE |
Multiple principal entries in KDC database |
0x9 |
KDC_ERR_NULL_KEY |
The client or server has a null key (master key) |
0xA |
KDC_ERR_CANNOT_POSTDATE |
Ticket (TGT) not eligible for postdating |
0xB |
KDC_ERR_NEVER_VALID |
Requested start time is later than end time |
0xC |
KDC_ERR_POLICY |
Requested start time is later than end time |
0xD |
KDC_ERR_BADOPTION |
KDC cannot accommodate requested option |
0xE |
KDC_ERR_ETYPE_NOTSUPP |
KDC has no support for encryption type |
0xF |
KDC_ERR_SUMTYPE_NOSUPP |
KDC has no support for checksum type |
0x10 |
KDC_ERR_PADATA_TYPE_NOSUPP |
KDC has no support for PADATA type (pre-authentication data) |
0x11 |
KDC_ERR_TRTYPE_NO_SUPP |
KDC has no support for transited type |
0x12 |
KDC_ERR_CLIENT_REVOKED |
Client’s credentials have been revoked |
0x13 |
KDC_ERR_SERVICE_REVOKED |
Credentials for server have been revoked |
0x14 |
KDC_ERR_TGT_REVOKED |
TGT has been revoked |
0x15 |
KDC_ERR_CLIENT_NOTYET |
Client not yet valid—try again later |
0x16 |
KDC_ERR_SERVICE_NOTYET |
Server not yet valid—try again later |
0x17 |
KDC_ERR_KEY_EXPIRED |
Password has expired—change password to reset |
0x18 |
KDC_ERR_PREAUTH_FAILED |
Pre-authentication information was invalid |
0x19 |
KDC_ERR_PREAUTH_REQUIRED |
Additional preauthentication required |
0x1A |
KDC_ERR_SERVER_NOMATCH |
KDC does not know about the requested server |
0x1B |
KDC_ERR_SVC_UNAVAILABLE |
KDC is unavailable |
0x1F |
KRB_AP_ERR_BAD_INTEGRITY |
Integrity check on decrypted field failed |
0x20 |
KRB_AP_ERR_TKT_EXPIRED |
The ticket has expired |
0x21 |
KRB_AP_ERR_TKT_NYV |
The ticket is not yet valid |
0x22 |
KRB_AP_ERR_REPEAT |
The request is a replay |
0x23 |
KRB_AP_ERR_NOT_US |
The ticket is not for us |
0x24 |
KRB_AP_ERR_BADMATCH |
The ticket and authenticator do not match |
0x25 |
KRB_AP_ERR_SKEW |
The clock skew is too great |
0x26 |
KRB_AP_ERR_BADADDR |
Network address in network layer header doesn't match address inside ticket |
0x27 |
KRB_AP_ERR_BADVERSION |
Protocol version numbers don't match (PVNO) |
0x28 |
KRB_AP_ERR_MSG_TYPE |
Message type is unsupported |
0x29 |
KRB_AP_ERR_MODIFIED |
Message stream modified and checksum didn't match |
0x2A |
KRB_AP_ERR_BADORDER |
Message out of order (possible tampering) |
0x2C |
KRB_AP_ERR_BADKEYVER |
Specified version of key is not available |
0x2D |
KRB_AP_ERR_NOKEY |
Service key not available |
0x2E |
KRB_AP_ERR_MUT_FAIL |
Mutual authentication failed |
0x2F |
KRB_AP_ERR_BADDIRECTION |
Incorrect message direction |
0x30 |
KRB_AP_ERR_METHOD |
Alternative authentication method required |
0x31 |
KRB_AP_ERR_BADSEQ |
Incorrect sequence number in message |
0x32 |
KRB_AP_ERR_INAPP_CKSUM |
Inappropriate type of checksum in message (checksum may be unsupported) |
0x33 |
KRB_AP_PATH_NOT_ACCEPTED |
Desired path is unreachable |
0x34 |
KRB_ERR_RESPONSE_TOO_BIG |
Too much data |
0x3C |
KRB_ERR_GENERIC |
Generic error; the description is in the e-data field |
0x3D |
KRB_ERR_FIELD_TOOLONG |
Field is too long for this implementation |
0x3E |
KDC_ERR_CLIENT_NOT_TRUSTED |
The client trust failed or is not implemented |
0x3F |
KDC_ERR_KDC_NOT_TRUSTED |
The KDC server trust failed or could not be verified |
0x40 |
KDC_ERR_INVALID_SIG |
The signature is invalid |
0x41 |
KDC_ERR_KEY_TOO_WEAK |
A higher encryption level is needed |
0x42 |
KRB_AP_ERR_USER_TO_USER_REQUIRED |
User-to-user authorization is required |
0x43 |
KRB_AP_ERR_NO_TGT |
No TGT was presented or available |
0x44 |
KDC_ERR_WRONG_REALM |
Incorrect domain or principal |
The error codes in Table C.2 are returned only in response to local requests. These codes will not be returned in response to network requests.
Table C.2. Windows-specific Responses
Error |
Error Name |
Description |
|---|---|---|
0x80000001 |
KDC_ERR_MORE_DATA |
More data is available |
0x80000002 |
KDC_ERR_NOT_RUNNING |
The Kerberos service is not running |
This section lists errors seen on an Active Directory® directory services server and errors seen on a UNIX client. The number of useful errors provided on the UNIX client will be low.
Table C.3. LDAP Error Messages
Error |
Error Name |
Description |
|---|---|---|
0x00 |
LDAP_SUCCESS |
Successful request |
0x01 |
LDAP_OPERATIONS_ERROR |
Initialization of LDAP library failed |
0x02 |
LDAP_PROTOCOL_ERROR |
Protocol error occurred |
0x03 |
LDAP_TIMELIMIT_EXCEEDED |
Time limit has exceeded |
0x04 |
LDAP_SIZELIMIT_EXCEEDED |
Size limit has exceeded |
0x05 |
LDAP_COMPARE_FALSE |
Compare yielded FALSE |
0x06 |
LDAP_COMPARE_TRUE |
Compare yielded TRUE |
0x07 |
LDAP_AUTH_METHOD_NOT_SUPPORTED |
The authentication method is not supported |
0x08 |
LDAP_STRONG_AUTH_REQUIRED |
Strong authentication is required |
0x09 |
LDAP_REFERRAL_V2 |
LDAP version 2 referral |
0x09 |
LDAP_PARTIAL_RESULTS |
Partial results and referrals received |
0x0a |
LDAP_REFERRAL |
Referral occurred |
0x0b |
LDAP_ADMIN_LIMIT_EXCEEDED |
Administration limit on the server has exceeded |
0x0c |
LDAP_UNAVAILABLE_CRIT_EXTENSION |
Critical extension is unavailable |
0x0d |
LDAP_CONFIDENTIALITY_REQUIRED |
Confidentiality is required |
0x10 |
LDAP_NO_SUCH_ATTRIBUTE |
Requested attribute does not exist |
0x11 |
LDAP_UNDEFINED_TYPE |
The type is not defined |
0x12 |
LDAP_INAPPROPRIATE_MATCHING |
An inappropriate matching occurred |
0x13 |
LDAP_CONSTRAINT_VIOLATION |
A constraint violation occurred |
0x14 |
LDAP_ATTRIBUTE_OR_VALUE_EXISTS |
The attribute exists or the value has been assigned |
0x15 |
LDAP_INVALID_SYNTAX |
The syntax is invalid |
0x20 |
LDAP_NO_SUCH_OBJECT |
Object does not exist |
0x21 |
LDAP_ALIAS_PROBLEM |
The alias is invalid |
0x22 |
LDAP_INVALID_DN_SYNTAX |
The distinguished name has an invalid syntax |
0x23 |
LDAP_IS_LEAF |
The object is a leaf |
0x24 |
LDAP_ALIAS_DEREF_PROBLEM |
Cannot de-reference the alias |
0x30 |
LDAP_INAPPROPRIATE_AUTH |
Authentication is inappropriate |
0x31 |
LDAP_INVALID_CREDENTIALS |
The supplied credential is invalid |
0x32 |
LDAP_INSUFFICIENT_RIGHTS |
The user has insufficient access rights |
0x33 |
LDAP_BUSY |
The server is busy |
0x34 |
LDAP_UNAVAILABLE |
The server is unavailable |
0x35 |
LDAP_UNWILLING_TO_PERFORM |
The server does not handle directory requests |
0x36 |
LDAP_LOOP_DETECT |
The chain of referrals has looped back to a referring server |
0x40 |
LDAP_NAMING_VIOLATION |
There was a naming violation |
0x41 |
LDAP_OBJECT_CLASS_VIOLATION |
There was an object class violation |
0x42 |
LDAP_NOT_ALLOWED_ON_NONLEAF |
Operation is not allowed on a nonleaf object |
0x43 |
LDAP_NOT_ALLOWED_ON_RDN |
Operation is not allowed on RDN |
0x44 |
LDAP_ALREADY_EXISTS |
The object already exists |
0x45 |
LDAP_NO_OBJECT_CLASS_MODS |
Cannot modify object class |
0x46 |
LDAP_RESULTS_TOO_LARGE |
Results returned are too large |
0x47 |
LDAP_AFFECTS_MULTIPLE_DSAS |
Multiple directory service agents are affected |
0x50 |
LDAP_OTHER |
Unknown error occurred |
0x51 |
LDAP_SERVER_DOWN |
Cannot contact the LDAP server |
0x52 |
LDAP_LOCAL_ERROR |
Local error occurred |
0x53 |
LDAP_ENCODING_ERROR |
Encoding error occurred |
0x54 |
LDAP_DECODING_ERROR |
Decoding error occurred |
0x55 |
LDAP_TIMEOUT |
The search was timed out |
0x56 |
LDAP_AUTH_UNKNOWN |
Unknown authentication error occurred |
0x57 |
LDAP_FILTER_ERROR |
The search filter is incorrect |
0x58 |
LDAP_USER_CANCELLED |
The user has canceled the operation |
0x59 |
LDAP_PARAM_ERROR |
An incorrect parameter was passed to a routine |
0x5a |
LDAP_NO_MEMORY |
The system is out of memory |
0x5b |
LDAP_CONNECT_ERROR |
Cannot establish a connection to the server |
0x5c |
LDAP_NOT_SUPPORTED |
The feature is not supported |
0x5d |
LDAP_CONTROL_NOT_FOUND |
The ldap function did not find the specified control |
0x5e |
LDAP_NO_RESULTS_RETURNED |
The feature is not supported |
0x5f |
LDAP_MORE_RESULTS_TO_RETURN |
Additional results are to be returned |
0x60 |
LDAP_CLIENT_LOOP |
Client loop was detected |
0x61 |
LDAP_REFERRAL_LIMIT_EXCEEDED |
The referral limit was exceeded |
0x0E |
LDAP_SASL_BIND_IN_PROGRESS |
Intermediary bind result for multistage binds |
Information about LDAP troubleshooting tips and troubleshooting tools is available in the following appendices: Appendix D: “Kerberos and LDAP Troubleshooting Tips” and Appendix E: “Relevant Windows and UNIX Tools.”
Download
Get the Windows Security and Directory Services for UNIX Guide
Update Notifications
Sign up to learn about updates and new releases
Feedback