This page contains a (non-complete) list of error and debug messages when something is wrong with your Kerberos installation. The list is based upon the source code of the official krb5 package on GitHub


The following errors do only occur in Windows environments. Please take a look at the GLE (GetLastError) value and look the value up at Microsoft’s System Error Code table.

Error Description
“Failed to get temporary path (GLE=%d)” see above
“Can’t open thread token (GLE=%d)”
“Unexpected error reading token information (GLE=%d)”
“GetTokenInformation() returned truncated buffer”
“GetTokenInformation() failed. GLE=%d”
“Can’t convert SID to string. GLE=%d”
“Unable to determine folder path” Reason won’t be printed but is an HRESULT error code
“Can’t find username for uid %lu” Username can’t be expanded
“Invalid token” Token does not match format “%{ … }” or token could not be expanded
“variable missing }” Token does not end with “}”


Error Description
“Cannot find key for %s kvno %d in keytab”, “Cannot find key for %s kvno %d in keytab (request ticket server %s)” Keytab does exist, but does not conain the given key
“Cannot decrypt ticket for %s using keytab key for %s” Ticket is not valid, e.g. integrity failed or does not belong to us
“Server principal %s does not match request ticket server %s”
“No keys in keytab” Local keytab is empty. This usually means that you are pointing to the wrong keytab file
“Server principal %s does not match any keys in keytab” Check keytab, server principal is wrong
“Request ticket server %s found in keytab but does not match server principal %s”
“Request ticket server %s not found in keytab (ticket kvno %d)”
“Request ticket server %s kvno %d not found in keytab; ticket is likely out of date” Key could not be refreshed or there is already a higher key version number available
“Request ticket server %s kvno %d found in keytab but not with enctype %s” Mismatch between encryption schemes
“Request ticket server %s kvno %d enctype %s found in keytab but cannot decrypt ticket” Ticket has bad integrity
“Encryption type %s not permitted” Encryption mismatch as no matching encryption scheme could be found
“keyfile (%s) is not a regular file: %s” keyfile exists but is not a normal file but a a directory or block device
“Could not create temp keytab file name.” file permissions wrong or hard disk full?
“Temporary stash file already exists: %s.” This is a race condition and should only occur if command is issued multiple times the same time
“rename of temporary keyfile (%s) to (%s) failed: %s” Underlying filesystem problem or file has been removed by 3rd party
“Can not fetch master key (error: %s).”
“Unable to decrypt latest master key with the provided master key”
“Encrypted Challenge used outside of FAST tunnel” preauth failed
“Incorrect password in encrypted challenge” preauth failed
“Principal %s is missing required realm” principal has no realm but realm is required
“Principal %s has realm present” principal has realm present but Kerberos hat been configured without realm
“Can’t find client principal %s in cache collection” issues with cache
“No Kerberos credentials available (default cache: %s) issues with cache
“Subsidiary cache path %s has no parent directory” this should not happen; no absolute path of cache?
“Subsidiary cache path %s filename does not begin with “tkt””
“Credential cache directory %s does not exist” It either does not exist or could not be created
“Credential cache directory %s exists but is not a directory” is cache directory a file or block device?
“Can’t create new subsidiary cache because default cache is not a directory collection”
“No begin line not found” PEM file for KVNO does not start with “—–BEGIN CERTIFICATE—–”
“No end line found” PEM file for KVNO does not end with “—–END “
“Unexpected header line” PEM file for KVNO has invalid format
“Invalid base64” PEM file is not base64 encoded (not a DER certificate)
“KDC returned error string: %.*s” take a look at the Kerberos servers’s log
“Server %s not found in Kerberos database”
“No key table entry found for %s” Principal could not be found in keytable
“Too many keytab iterators active” should not happen; multiple processes access the keytab file?
“Cannot change keytab with keytab iterators active”
“Key table file ‘%s’ not found” file does not exist
“Keytab %s is nonexistent or empty” file does not exist
“Unable to initialize preauth context” some pre-authenticatio plug-in failed
“No default realm set; cannot initialize KDB” default realm is missing inside krb5.conf
“Unable to find requested database type: %s”
“Unable to load requested database module ‘%s’: plugin symbol ‘kdb_function_table’ not found”
“Illegal version number for KRB5_TL_MKEY_AUX %d”
“Illegal version number for KRB5_TL_ACTKVNO %d”
“Reply has wrong form of session key for anonymous request”
“Client ‘%s’ not found in Kerberos database”
“No key table entry found matching %s” principal name could not be found in key table