Networking Single Sign On Kerberos Error Codes
June 29, 2024 at 4:56 AMThis page contains a (non-complete) list of error and debug messages when something is wrong with your Kerberos installation. The list is based upon the source code of the official krb5 package on GitHub
Windows-specific
The following errors do only occur in Windows environments. Please take a look at the GLE (GetLastError) value and look the value up at Microsoft’s System Error Code table.
Error | Description |
---|---|
“Failed to get temporary path (GLE=%d)” | see above |
“Can’t open thread token (GLE=%d)” | |
“Unexpected error reading token information (GLE=%d)” | |
“GetTokenInformation() returned truncated buffer” | |
“GetTokenInformation() failed. GLE=%d” | |
“Can’t convert SID to string. GLE=%d” | |
“Unable to determine folder path” | Reason won’t be printed but is an HRESULT error code |
“Can’t find username for uid %lu” | Username can’t be expanded |
“Invalid token” | Token does not match format “%{ … }” or token could not be expanded |
“variable missing }” | Token does not end with “}” |
General
Error | Description |
---|---|
“Cannot find key for %s kvno %d in keytab”, “Cannot find key for %s kvno %d in keytab (request ticket server %s)” | Keytab does exist, but does not conain the given key |
“Cannot decrypt ticket for %s using keytab key for %s” | Ticket is not valid, e.g. integrity failed or does not belong to us |
“Server principal %s does not match request ticket server %s” | |
“No keys in keytab” | Local keytab is empty. This usually means that you are pointing to the wrong keytab file |
“Server principal %s does not match any keys in keytab” | Check keytab, server principal is wrong |
“Request ticket server %s found in keytab but does not match server principal %s” | |
“Request ticket server %s not found in keytab (ticket kvno %d)” | |
“Request ticket server %s kvno %d not found in keytab; ticket is likely out of date” | Key could not be refreshed or there is already a higher key version number available |
“Request ticket server %s kvno %d found in keytab but not with enctype %s” | Mismatch between encryption schemes |
“Request ticket server %s kvno %d enctype %s found in keytab but cannot decrypt ticket” | Ticket has bad integrity |
“Encryption type %s not permitted” | Encryption mismatch as no matching encryption scheme could be found |
“keyfile (%s) is not a regular file: %s” | keyfile exists but is not a normal file but a a directory or block device |
“Could not create temp keytab file name.” | file permissions wrong or hard disk full? |
“Temporary stash file already exists: %s.” | This is a race condition and should only occur if command is issued multiple times the same time |
“rename of temporary keyfile (%s) to (%s) failed: %s” | Underlying filesystem problem or file has been removed by 3rd party |
“Can not fetch master key (error: %s).” | |
“Unable to decrypt latest master key with the provided master key” | |
“Encrypted Challenge used outside of FAST tunnel” | preauth failed |
“Incorrect password in encrypted challenge” | preauth failed |
“Principal %s is missing required realm” | principal has no realm but realm is required |
“Principal %s has realm present” | principal has realm present but Kerberos hat been configured without realm |
“Can’t find client principal %s in cache collection” | issues with cache |
“No Kerberos credentials available (default cache: %s) | issues with cache |
“Subsidiary cache path %s has no parent directory” | this should not happen; no absolute path of cache? |
“Subsidiary cache path %s filename does not begin with “tkt”” | |
“Credential cache directory %s does not exist” | It either does not exist or could not be created |
“Credential cache directory %s exists but is not a directory” | is cache directory a file or block device? |
“Can’t create new subsidiary cache because default cache is not a directory collection” | |
“No begin line not found” | PEM file for KVNO does not start with “—–BEGIN CERTIFICATE—–” |
“No end line found” | PEM file for KVNO does not end with “—–END “ |
“Unexpected header line” | PEM file for KVNO has invalid format |
“Invalid base64” | PEM file is not base64 encoded (not a DER certificate) |
“KDC returned error string: %.*s” | take a look at the Kerberos servers’s log |
“Server %s not found in Kerberos database” | |
“No key table entry found for %s” | Principal could not be found in keytable |
“Too many keytab iterators active” | should not happen; multiple processes access the keytab file? |
“Cannot change keytab with keytab iterators active” | |
“Key table file ‘%s’ not found” | file does not exist |
“Keytab %s is nonexistent or empty” | file does not exist |
“Unable to initialize preauth context” | some pre-authenticatio plug-in failed |
“No default realm set; cannot initialize KDB” | default realm is missing inside krb5.conf |
“Unable to find requested database type: %s” | |
“Unable to load requested database module ‘%s’: plugin symbol ‘kdb_function_table’ not found” | |
“Illegal version number for KRB5_TL_MKEY_AUX %d” | |
“Illegal version number for KRB5_TL_ACTKVNO %d” | |
“Reply has wrong form of session key for anonymous request” | |
“Client ‘%s’ not found in Kerberos database” | |
“No key table entry found matching %s” | principal name could not be found in key table |