Login | Sign Up
ErrorKey - Search engine for Error codes and messages     
  HTTP:Kerberos Errors  [ 8 result(s) ]
MICROSOFT 
0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database  MICROSOFT
Associated internal Windows error code STATUS_NO_SUCH_USER Corresponding debug output messages • D_DebugLog(“KLIN(%x) No principal name supplied to AS request - not allowed\n”) • DebugLog(“KdcGetS4UTicketInfo normalize returned referral for S4U client\n”) • DebugLog(“Failed Authz check\n”)
This error can occur if the domain controller cannot find the account name in Active Directory. This can occur in three scenarios: • The actual account does not exist. Verify that the name is in the Active Directory. If the principal name is not in the local Active Directory, but you know the account should exist and the user was recently added to the domain, verify that Active Directory replication is current. • A new account has been created and has not yet replicated to the KDC that the client is using for authentication. It could be that the updates have not yet reached the domain controller that is acting as the KDC for that user. For information about how to manually initiate an update, see “Initiating Replication between Active Directory Direct Replication Partners” in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=23063. • The user’s account has expired and the Enforce user logon restrictions Group Policy object (GPO) setting is enabled. If the user name is in Active Directory, determine whether the account has expired. Enforce user logon restrictions forces the domain controller to check the user’s account each time a TGT is presented and account expiration will cause the domain controller to refuse an otherwise valid TGT.
Kerberos Errors
Comments
 
0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN - Server not found in Kerberos database  MICROSOFT
Associated internal Windows error codes • STATUS_NO_TRUST_SAM_ACCOUNT • STATUS_OBJECT_NAME_NOT_FOUND • STATUS_KDC_UNABLE_TO_REFER Corresponding debug output messages • D_DebugLog(“Wrong S4UProxytarget %wZ %wZ\n”) • DebugLog(“KdcFindReferralTarget KLIN(%x) Needed exact match and got a transitively-trusted domain.\n”) • D_DebugLog(“No referral info for %wZ\n”) • D_DebugLog(“Got UPN w/ uknown trust path %x\n”) • DebugLog(“No auth info for this trust: %wZ. %ws, line %d\n”)
This error can occur if the domain controller cannot find the server’s name in Active Directory. This error is similar to KDC_ERR_C_PRINCIPAL_UNKNOWN except that it occurs when the server name cannot be found. This might be because: • The actual name is missing. Verify that the service is registered and has an SPN set. For more information about setting SPNs, see Need an SPN Set earlier in this white paper. • A new computer account has been created and has not yet replicated to the KDC that the client is using for authentication. It could be that the updates have not yet reached the domain controller that is acting as the KDC for that client. For information about how to manually initiate an update, see “Initiating Replication between Active Directory Direct Replication Partners” in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=23063. • UDP fragmentation is occurring. If the SPN is set, or if the request failed for an initial TGT (requesting a TGT does not require any SPNs to be set manually), then UDP fragmentation might be causing the failure. Capture a network trace with Network Monitor and compare it to the sample trace associated with UDP fragmentation in Appendix A. If you determine that the cause is UDP fragmentation, see UDP Fragmentation earlier in this white paper for information about how to resolve the issue. • A trust path has been incorrectly configured. If the SPN is set correctly and this error
Kerberos Errors
Comments
 
0x1C KDC_ERR_PATH_NOT_ACCEPTED - KDC Policy rejects transited path  MICROSOFT
Associated internal Windows error codes • STATUS_TRUST_FAILURE Corresponding debug output messages • D_DebugLog(“Client from realm %s attempted to access non transitive trust to %wZ : illegal\n”) • DebugLog(“TGT S4U Client from realm %s attempted to access non transitive trust to %wZ : illegal\n”) • DebugLog(“Missing delegation info while transiting %p\n”) • D_DebugLog(“KDC presented w/ a unknown Xrealm TGT (%wZ)\n”)
• A trust is incorrectly set up between two domains. Verify that there is a two-way transitive trust set up between the user’s domain and the domain on which the user is trying to access resources. If the domain to which the user is trying to authenticate is in another forest, see “Cannot Use Kerberos Trust Relationships Between Two Forests in Windows 2000” in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=23069. This article describes why you cannot use internal Kerberos trust relationships between two forests in Windows 2000. • Constrained delegation is being attempted across multiple domains. No resolution. Windows 2000 does not support constrained delegation across multiple domains. If constrained delegation is being attempted across multiple domains in Windows Server 2003, this error message will read: Constrained delegation is not currently supported across multiple domains.
Kerberos Errors
Comments
 
0x29 KRB_AP_ERR_MODIFIED - Message stream modified  MICROSOFT
Associated internal Windows error codes • SEC_E_WRONG_PRINCIPAL • STATUS_WRONG_PASSWORD Corresponding debug output messages • DebugLog(“Failed to verify message: %x\n”,Status) • DebugLog(“”Failed to encrypt message: %x\n”,Status) • DebugLog(“Failed to encrypt message (crypto mismatch?): %x\n”) • DebugLog(“Checksum on TGS request body did not match\n”) • D_DebugLog(“Failed to create S4U checksum\n”) • DebugLog(“S4U PA checksum doesn’t match!\n”) • DebugLog(“Pac was modified - server checksum doesn’t match\n”) • D_DebugLog(DEB_TRACE,”Could not decrypt the ticket\n”)
Some encrypted Kerberos authentication data sent by the client did not decrypt properly at the server because: • A service ticket is issued to the local computer account, for which a host/ SPN is automatically created, instead of to the service account, for which no SPN has been created. The reason for this is that a service does not register an SPN for itself, yet the service belongs to a service class for which the computer will automatically map the SPN to a host/service class. (Examples of this are the HTTP and Common Internet File System (CIFS) service classes.) The result is that the service cannot decrypt the resultant ticket. If the root cause appears to be that an SPN has not been set, verify that each service running on the target computer has an SPN set. Those services that do not have SPNs set might have had their SPNs remapped to the computer’s host SPN. For more information about SPNs and how to set them, see Need an SPN Set earlier in this white paper. • The authentication data was encrypted with the wrong key for the intended server. • The authentication data was modified in transit by a hardware or software error, or by an attacker. • The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server. Verify that DNS is functioning properly. • The client sent the authentication data to the wrong server because DNS data was out-of-date on the clie
Kerberos Errors
Comments
 
0x28 KRB_AP_ERR_MSG_TYPE - Invalid msg type  MICROSOFT
Associated internal Windows error codes • SEC_E_INVALID_TOKEN Corresponding debug output messages • DebugLog(“Won’t allow user2user with Datagram. %ws, line %d\n”)
• UDP is being attempted with User-to-User protocol. User-to-User is an extension of Kerberos authentication that enables secure servers to be run on personal computers. Force Kerberos authentication to use TCP. For information about forcing Kerberos authentication to use TCP see “How to Force Kerberos to Use TCP Instead of UDP” in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=23043.
Kerberos Errors
Comments
 
0x34 KRB_ERR_RESPONSE_TOO_BIG - Response too big for UDP, retry with TCP  MICROSOFT
Associated internal Windows error codes • STATUS_INVALID_BUFFER_SIZE Corresponding debug output messages • D_DebugLog”KLIN(%x) KDC response too big for UDP: %d bytes\n”)
• The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. If this error occurs in a mixed operating systems environment, upgrade the UNIX KDCs to the latest MIT distribution of the Kerberos protocol, which supports TCP connections if UDP fails. For information about forcing Kerberos to use TCP, see “How to Force Kerberos to Use TCP Instead of UDP” in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=23043.
Kerberos Errors
Comments
 
0x8 KDC_ERR_PRINCIPAL_NOT_UNIQUE - Multiple principal entries in database  MICROSOFT
Associated internal Windows error codes • STATUS_OBJECT_NAME_COLLISION • KDCEVENT_NAME_NOT_UNIQUE Corresponding debug output messages • None Fix: • This error occurs if duplicate principal names exist. Unique principal names are crucial for ensuring mutual authentication. Thus, duplicate principal names are strictly forbidden, even across multiple realms. Without unique principal names, the client has no way of ensuring that the server it is communicating with is the correct one. You must remove the duplicate principal name in order for Kerberos authentication to function. To find the duplicate SPN, you can use the LDP tool, or you can use the Ldifde utility. The two methods are described below. How to use the LDP tool Note: If you do not have the Windows Server 2003 Support Tools installed, install them from the Windows Server 2003 CD-ROM before proceeding. (The Setup executable file for Support Tools is located on the CD-ROM in the Support\Tools folder. The installation does not require you to restart the computer, but you might have to restart the computer so that the environment variables are updated. 1. Click Start, and then click Run. 2. In the Open: text box, type LDP, and then click OK. 3. On the Connection menu, click Connect. 4. If you are on the domain controller, leave the default settings, and then click OK. If you are not on the domain controller, type the domain controller name in the Server text box and then click OK. 5. On the Co
For more information about using ldp.exe to search Active Directory, see “Using Ldp.exe to Find Data in the Active Directory” in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=23064. How to use Ldifde To use the Ldifde utility to extract the accounts for the domain, or from the suspected container or OU: 1. From the domain controller, open a command prompt, and then: • For computer accounts, type ldifde -f filename -d BaseDistinguishedName -r (objectclass=computer) -p subtree — or — • For user accounts, type ldifde -f filename -d BaseDistinguishedName -r (objectclass=user) -p subtree Note If the accounts that seem to have the duplicate SPNs are located in a certain OU (for example, Florida), you can refine the base distinguished name. For example: -d ou=sales,dc=tailspintoys,dc=com . 2. Open the text file in Notepad, and then search for the SPN that is reported in the security event log. 3. Note the accounts under which the SPN is located. Use Setspn to rename or delete the duplicates. For more information about setting SPNs, see Need an SPN Set earlier in this white paper.
Kerberos Errors
Comments
 
0x3C KRB_ERR_GENERIC - Generic error  MICROSOFT
Associated internal Windows error codes • STATUS_INSUFFICIENT_RESOURCES Corresponding debug output messages • DebugLog(“SpInitLsaModeContext failed to verify AP reply: 0x%x\n”) • DebugLog(“Failed to decrypt AP reply: 0x%x. %ws, line %d\n”) • DebugLog(“Failed to encode data: %d\n”) • DebugLog(“KerbUnpackData Trying to unpack NULL data\n”) • D_DebugLog(“Failed to unmarshal pac\n”) • DebugLog(“Failed to get CLIENT Principal : 0x%x\n”) • DebugLog(“Failed to get Client principal name: 0x%x\n”) • DebugLog(“Failed to acquire KDC certificate private key: 0x%x\n”) • DebugLog(“Trying S4UProxy w/ no PAC\n”) • D_DebugLog(“KdcUnpackAdditionalTickets KLIN(%x) Trying to unpack null ticket or more than one ticket\n”) • D_DebugLog(“The client of kpasswd did not ask for a sub key.\n”) • DebugLog(“Failed to create token from ticket: 0x%x\n”) • D_DebugLog(“No logon info for PAC - not adding resource groups\n”) • DebugLog(“Failed to query domain info for %wZ: 0x%x. %ws, line %d\n”) • DebugLog(“Failed to decrypt old password: 0x%x\n”) • DebugLog(“KdcGetTicketInfo can’t restrict user accounts if USER_EXTENDED_FIELD_SPN is not requested\n”)
• Group membership has overloaded the PAC. For information about how to resolve this issue, see Group Membership Overloads PAC earlier in this white paper. • Multiple recent password changes have not propagated. You can wait for the changes to replicate, or you can force replication. To manually initiate replication see “Initiating Replication Between Active Directory Direct Replication Partners” in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=23063. • Crypto subsystem error caused by running out of memory. Restart system or end processes to free memory. • SPN too long. Use Network Monitor to capture network data. Examine the SPN being requested. Verify that it is a correctly formed SPN and is registered to a service on the network. • SPN has too many parts. Use Network Monitor to capture network data. Examine the SPN being requested. Verify that it is a correctly formed SPN and is registered to a service on the network.
Kerberos Errors
Comments
 
 

 
Kerberos Errors (8)