Wednesday, July 16, 2014

Locked Account

Very often I get tickets of accounts that keep getting locked out. When I check the logs all I get is that the service name Kerberos Authentication Service (krbtgt) is the one that is causing the issue. Recently I wanted to provide a user with more information and started looking at exactly what each error code meant, and I found the following table, I thought it was worth sharing it.

Result code Kerberos RFC description Notes on common failure codes
0x1 Client's entry in database has expired
0x2 Server's entry in database has expired
0x3 Requested protocol version # not supported
0x4 Client's key encrypted in old master key
0x5 Server's key encrypted in old master key
0x6 Client not found in Kerberos database Bad user name, or new computer/user account has not replicated to DC yet
0x7 Server not found in Kerberos database  New computer account has not replicated yet or computer is pre-w2k
0x8 Multiple principal entries in database
0x9 The client or server has a null key  administrator should reset the password on the account
0xA Ticket not eligible for postdating
0xB Requested start time is later than end time
0xC KDC policy rejects request Workstation restriction
0xD KDC cannot accommodate requested option
0xE KDC has no support for encryption type
0xF KDC has no support for checksum type
0x10 KDC has no support for padata type
0x11 KDC has no support for transited type
0x12 Clients credentials have been revoked Account disabled, expired, locked out, logon hours.
0x13 Credentials for server have been revoked
0x14 TGT has been revoked
0x15 Client not yet valid - try again later
0x16 Server not yet valid - try again later
0x17 Password has expired The user’s password has expired.
0x18 Pre-authentication information was invalid Usually means bad password
0x19 Additional pre-authentication required*
0x1F Integrity check on decrypted field failed
0x20 Ticket expired Frequently logged by computer accounts
0x21 Ticket not yet valid
0x21 Ticket not yet valid
0x22 Request is a replay
0x23 The ticket isn't for us
0x24 Ticket and authenticator don't match
0x25 Clock skew too great Workstation’s clock too far out of sync with the DC’s
0x26 Incorrect net address  IP address change?
0x27 Protocol version mismatch
0x28 Invalid msg type
0x29 Message stream modified
0x2A Message out of order
0x2C Specified version of key is not available
0x2D Service key not available
0x2E Mutual authentication failed  may be a memory allocation failure
0x2F Incorrect message direction
0x30 Alternative authentication method required*
0x31 Incorrect sequence number in message
0x32 Inappropriate type of checksum in message
0x3C Generic error (description in e-text)
0x3D Field is too long for this implementation


I was able to find even more information in the Technet post: