Code Field Name Description
0x00 TGT/TGS Issue Error Codes KDC_ERR_NONE No error
0x1 TGT/TGS Issue Error Codes KDC_ERR_NAME_EXP Client's entry in KDC database has expired
0x2 TGT/TGS Issue Error Codes KDC_ERR_SERVICE_EXP Server's entry in KDC database has expired
0x3 TGT/TGS Issue Error Codes KDC_ERR_BAD_PVNO Requested Kerberos version number not supported
0x4 TGT/TGS Issue Error Codes KDC_ERR_C_OLD_MAST_KVNO Client's key encrypted in old master key
0x5 TGT/TGS Issue Error Codes KDC_ERR_S_OLD_MAST_KVNO Server's key encrypted in old master key
0x6 TGT/TGS Issue Error Codes KDC_ERR_C_PRINCIPAL_UNKNOWN Client not found in Kerberos database
0x7 TGT/TGS Issue Error Codes KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database. This can occur if the domain controller cannot find the server’s name in AD. This error is similar to KDC_ERR_C_PRINCIPAL_UNKNOWN except that it occurs when the server name cannot be found.
0x8 TGT/TGS Issue Error Codes KDC_ERR_PRINCIPAL_NOT_UNIQUE Multiple principal entries in KDC database. Occurs if duplicate principal names exist. Unique principal names are crucial for ensuring mutual authentication. As such, duplicate principal names are strictly forbidden, even across multiple realms. Without unique principal names, the client has no way of ensuring that the server it is communicating with is the correct one.
0x9 TGT/TGS Issue Error Codes KDC_ERR_NULL_KEY The client or server has a null key (master key). No master key was found for client or server. This usually means that the administrator should reset the password on the account.
0xA TGT/TGS Issue Error Codes KDC_ERR_CANNOT_POSTDATE Ticket (TGT) not eligible for postdating. Can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a ticket’s start time be set into the future. May also occur if there is a time difference between the client and the KDC.
0xB TGT/TGS Issue Error Codes KDC_ERR_NEVER_VALID Requested start time is later than end time. There is a time difference between the KDC and the client.
0xC TGT/TGS Issue Error Codes KDC_ERR_POLICY Requested start time is later than end time. Usually the result of logon restrictions in place on a user’s account. For example workstation restriction, smart card authentication requirement or logon time restriction.
0xD TGT/TGS Issue Error Codes KDC_ERR_BADOPTION KDC cannot accommodate requested option. Impending expiration of a TGT. The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list.
0xE TGT/TGS Issue Error Codes KDC_ERR_ETYPE_NOTSUPP KDC has no support for encryption type. In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt.
0x0F TGT/TGS Issue Error Codes KDC_ERR_SUMTYPE_NOSUPP KDC has no support for checksum type. The KDC, server, or client receives a packet for which it does not have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket.
0x10 TGT/TGS Issue Error Codes KDC_ERR_PADATA_TYPE_NOSUPP KDC has no support for PADATA type (pre-authentication data) Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller. It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
0x11 TGT/TGS Issue Error Codes KDC_ERR_TRTYPE_NO_SUPP KDC has no support for transited type.
0x12 TGT/TGS Issue Error Codes KDC_ERR_CLIENT_REVOKED Client’s credentials have been revoked. This might be because of an explicit disabling or because of other restrictions in place on the account. For example: account disabled, expired, or locked out.
0x13 TGT/TGS Issue Error Codes KDC_ERR_SERVICE_REVOKED Credentials for server have been revoked.