Networking Single Sign On Kerberos Error Codes
April 26, 2026 at 11:05 PMThis page contains a (non-complete) list of error and debug messages when something is wrong with your Kerberos installation. The list is based upon the source code of the official krb5 package on GitHub
Windows-specific
The following errors do only occur in Windows environments. Please take a look at the GLE (GetLastError) value and look the value up at Microsoft’s System Error Code table.
| Error | Description |
|---|---|
| “Failed to get temporary path (GLE=%d)” | see above |
| “Can’t open thread token (GLE=%d)” | |
| “Unexpected error reading token information (GLE=%d)” | |
| “GetTokenInformation() returned truncated buffer” | |
| “GetTokenInformation() failed. GLE=%d” | |
| “Can’t convert SID to string. GLE=%d” | |
| “Unable to determine folder path” | Reason won’t be printed but is an HRESULT error code |
| “Can’t find username for uid %lu” | Username can’t be expanded |
| “Invalid token” | Token does not match format “%{ … }” or token could not be expanded |
| “variable missing }” | Token does not end with “}” |
General
| Error | Description |
|---|---|
| “Cannot find key for %s kvno %d in keytab”, “Cannot find key for %s kvno %d in keytab (request ticket server %s)” | Keytab does exist, but does not conain the given key |
| “Cannot decrypt ticket for %s using keytab key for %s” | Ticket is not valid, e.g. integrity failed or does not belong to us |
| “Server principal %s does not match request ticket server %s” | |
| “No keys in keytab” | Local keytab is empty. This usually means that you are pointing to the wrong keytab file |
| “Server principal %s does not match any keys in keytab” | Check keytab, server principal is wrong |
| “Request ticket server %s found in keytab but does not match server principal %s” | |
| “Request ticket server %s not found in keytab (ticket kvno %d)” | |
| “Request ticket server %s kvno %d not found in keytab; ticket is likely out of date” | Key could not be refreshed or there is already a higher key version number available |
| “Request ticket server %s kvno %d found in keytab but not with enctype %s” | Mismatch between encryption schemes |
| “Request ticket server %s kvno %d enctype %s found in keytab but cannot decrypt ticket” | Ticket has bad integrity |
| “Encryption type %s not permitted” | Encryption mismatch as no matching encryption scheme could be found |
| “keyfile (%s) is not a regular file: %s” | keyfile exists but is not a normal file but a a directory or block device |
| “Could not create temp keytab file name.” | file permissions wrong or hard disk full? |
| “Temporary stash file already exists: %s.” | This is a race condition and should only occur if command is issued multiple times the same time |
| “rename of temporary keyfile (%s) to (%s) failed: %s” | Underlying filesystem problem or file has been removed by 3rd party |
| “Can not fetch master key (error: %s).” | |
| “Unable to decrypt latest master key with the provided master key” | |
| “Encrypted Challenge used outside of FAST tunnel” | preauth failed |
| “Incorrect password in encrypted challenge” | preauth failed |
| “Principal %s is missing required realm” | principal has no realm but realm is required |
| “Principal %s has realm present” | principal has realm present but Kerberos hat been configured without realm |
| “Can’t find client principal %s in cache collection” | issues with cache |
| “No Kerberos credentials available (default cache: %s) | issues with cache |
| “Subsidiary cache path %s has no parent directory” | this should not happen; no absolute path of cache? |
| “Subsidiary cache path %s filename does not begin with “tkt”” | |
| “Credential cache directory %s does not exist” | It either does not exist or could not be created |
| “Credential cache directory %s exists but is not a directory” | is cache directory a file or block device? |
| “Can’t create new subsidiary cache because default cache is not a directory collection” | |
| “No begin line not found” | PEM file for KVNO does not start with “—–BEGIN CERTIFICATE—–” |
| “No end line found” | PEM file for KVNO does not end with “—–END “ |
| “Unexpected header line” | PEM file for KVNO has invalid format |
| “Invalid base64” | PEM file is not base64 encoded (not a DER certificate) |
| “KDC returned error string: %.*s” | take a look at the Kerberos servers’s log |
| “Server %s not found in Kerberos database” | |
| “No key table entry found for %s” | Principal could not be found in keytable |
| “Too many keytab iterators active” | should not happen; multiple processes access the keytab file? |
| “Cannot change keytab with keytab iterators active” | |
| “Key table file ‘%s’ not found” | file does not exist |
| “Keytab %s is nonexistent or empty” | file does not exist |
| “Unable to initialize preauth context” | some pre-authenticatio plug-in failed |
| “No default realm set; cannot initialize KDB” | default realm is missing inside krb5.conf |
| “Unable to find requested database type: %s” | |
| “Unable to load requested database module ‘%s’: plugin symbol ‘kdb_function_table’ not found” | |
| “Illegal version number for KRB5_TL_MKEY_AUX %d” | |
| “Illegal version number for KRB5_TL_ACTKVNO %d” | |
| “Reply has wrong form of session key for anonymous request” | |
| “Client ‘%s’ not found in Kerberos database” | |
| “No key table entry found matching %s” | principal name could not be found in key table |