Event Id Status code Reason

4634 0x0 (indicating a successful logoff)

0xC000006 user name does not exist
40xC000006 user name is correct but the
A
0xC000023 password is wrong
user is currently locked out
40xC000007 account is currently disabled
20xC000006 user tried to logon outside his
F
0xC000007 day of week restriction,
workstation or time of day
or
4625 restrictions
00xC000019 Authentication Policy Silo
account expiration
30xC000007 violation (look for event ID
expired password
4820 on domain controller)
10xC000013 clocks between DC and other
30xC000022 computer too fartoout
user is required of sync
change
40xC000022 password
evidently aatbug
nextinlogon
Windows
50xc000015b The
and not
usera has
risknot been granted
the requested logon type (aka
logon right) at this machine
C0000064 The username does not exist
The username is correct but
C000006A
the
Thepassword is wronglocked
user is currently
C0000234
out
The account is currently
C0000072 The user tried to log on outside
disabled
C000006F their day-of-the-week or time-
4776 The user attempted to log on
C0000070 of-day restrictions
from a restricted
The user workstation
tried to log on with
C0000193
an expired account
The user tried to log on with a
C0000071 The user is required to change
stale password
C0000224 their password at the next
Evidently a bug in Windows
C0000225 logon
and not a risk

0x0 KDC_ERR_NONE
0x1 KDC_ERR_NAME_EXP
0x2 KDC_ERR_SERVICE_EXP
0x3 KDC_ERR_BAD_PVNO
KDC_ERR_C_OLD_MAST_
0x4
KVNO
KDC_ERR_S_OLD_MAST_K
0x5
VNO
KDC_ERR_C_PRINCIPAL_U
0x6
NKNOWN
KDC_ERR_S_PRINCIPAL_U
0x7
NKNOWN
KDC_ERR_PRINCIPAL_NO
0x8
T_UNIQUE

0x9 KDC_ERR_NULL_KEY
KDC_ERR_CANNOT_POST
0xA
DATE
0xB KDC_ERR_NEVER_VALID
0xC KDC_ERR_POLICY
0xD KDC_ERR_BADOPTION
KDC_ERR_ETYPE_NOTSUP
0xE
P
KDC_ERR_SUMTYPE_NOS
0xF
UPP

KDC_ERR_PADATA_TYPE_
0x10
NOSUPP
 KDC_ERR_PADATA_TYPE_
0x10
NOSUPP

KDC_ERR_TRTYPE_NO_SU
0x11
PP
KDC_ERR_CLIENT_REVOK
0x12
ED
KDC_ERR_SERVICE_REVO
0x13
KED

0x14 KDC_ERR_TGT_REVOKED

KDC_ERR_CLIENT_NOTYE
0x15
T
KDC_ERR_SERVICE_NOTY
0x16
ET

0x17 KDC_ERR_KEY_EXPIRED

KDC_ERR_PREAUTH_FAIL
0x18
ED

KDC_ERR_PREAUTH_REQ
0x19
UIRED
KDC_ERR_SERVER_NOMA
0x1A
TCH
KDC_ERR_SVC_UNAVAIL
0x1B
ABLE
KRB_AP_ERR_BAD_INTEG
0x1F
RITY

KRB_AP_ERR_TKT_EXPIR
0x20
ED

0x21 KRB_AP_ERR_TKT_NYV

0x22 KRB_AP_ERR_REPEAT
4769 0x23 KRB_AP_ERR_NOT_US

0x24 KRB_AP_ERR_BADMATCH

0x25 KRB_AP_ERR_SKEW

0x26 KRB_AP_ERR_BADADDR

KRB_AP_ERR_BADVERSIO
0x28
N

0x28 KRB_AP_ERR_MSG_TYPE

0x29 KRB_AP_ERR_MODIFIED
0x29 KRB_AP_ERR_MODIFIED

0x2A KRB_AP_ERR_BADORDER

KRB_AP_ERR_BADKEYVE
0x2C
R

0x2D KRB_AP_ERR_NOKEY

0x2E KRB_AP_ERR_MUT_FAIL
KRB_AP_ERR_BADDIRECT
0x2F
ION
0x30 KRB_AP_ERR_METHOD
0x31 KRB_AP_ERR_BADSEQ
KRB_AP_ERR_INAPP_CKS
0x32
UM
KRB_AP_PATH_NOT_ACCE
0x33
PTED
KRB_ERR_RESPONSE_TOO
0x34
_BIG

0x3C KRB_ERR_GENERIC

KRB_ERR_FIELD_TOOLON
0x3D
G

KDC_ERR_CLIENT_NOT_T
0x3E
RUSTED
KDC_ERR_KDC_NOT_TRU
0x3F
STED
0x40 KDC_ERR_INVALID_SIG
KDC_ERR_KEY_TOO_WEA
0x41
K
KRB_AP_ERR_USER_TO_U
0x42
SER_REQUIRED
0x43 KRB_AP_ERR_NO_TGT

KDC_ERR_WRONG_REAL
0x44
M

Client's entry in database has

0x1 expired
Server's entry in database has
0x2 expired
Requested protocol version #
0x3 not supported
Client's key encrypted in old
0x4 master key
Server's key encrypted in old
0x5 master key
 Client not found in Kerberos
0x6 database
Server not found in Kerberos
0x7 database
Multiple principal entries in
0x8 database
The client or server has a null
0x9 key
Ticket not eligible for
0xA postdating
Requested start time is later
0xB than end time
0xC KDC
KDC policy
cannot rejects request
accommodate
0xD requested
KDC has no option
support for
0xE encryption type
KDC has no support for
0xF
checksum
KDC has no type
support for padata
0x10
type
KDC has no support for
0x11
transitedcredentials
Clients type have been
0x12
revoked
Credentials for server have
0x13
been revoked
0x14 TGT has been revoked
Client not yet valid - try again
0x15
later
Server not yet valid - try again
0x16
later
0x17 Password has expired
Pre-authentication information
4768,4771 0x18
was invalidpre-authentication
Additional
0x19
required*
Integrity check on decrypted
0x1F
field failed
0x20 Ticket expired
0x21 Ticket not yet valid
0x21 Ticket not yet valid
0x22 Request is a replay
0x23 The ticket
Ticket and isn't for us
authenticator don't
0x24 match
0x25 Clock skew too great
0x26 Incorrect net address
0x27 Protocol version mismatch
0x28 Invalid msg type
0x29 Message stream modified
0x2A Message
Specifiedout of order
version of key is not
0x2C available
0x2D Service key not available
0x2E Mutual authentication failed
0x2F Incorrect
Alternative message direction
authentication
0x30 method required*
Incorrect sequence number in
0x31 message
Inappropriate type of
0x32 checksum
Generic errorin message
(description in e-
0x3C text)
Field is too long for this
0x3D implementation
No error
Client's entry in KDC database has expired
Server's entry in KDC database has expired
Requested Kerberos version number not supported
Client's key encrypted in old master key
Server's key encrypted in old master key
Client not found in Kerberos database
Server not found in Kerberos database

Multiple principal entries in KDC database

The client or server has a null key (master key)

Ticket (TGT) not eligible for postdating
Requested start time is later than the end time
Requested start time is later than the end time
KDC cannot accommodate requested option
KDC has no support for encryption type
KDC has no support for checksum type

KDC has no support for PADATA type (pre-authentication data)

KDC has no support for PADATA type (pre-authentication data)

KDC has no support for transited type

Client’s credentials have been revoked
Credentials for server have been revoked

TGT has been revoked

Client not yet valid—try again later

Server not yet valid—try again later

Password has expired—change password to reset

Pre-authentication information was invalid

Additional pre-authentication required

KDC does not know about the requested server

KDC is unavailable

Integrity check on decrypted field failed

The ticket has expired

The ticket is not yet valid

The request is a replay

The ticket is not for us

The ticket and authenticator do not match

The clock skew is too great

Network address in network layer header doesn't match address inside ticket

Protocol version numbers don't match (PVNO)

Message type is unsupported

Message stream modified and checksum didn't match

Message stream modified and checksum didn't match

Message out of order (possible tampering)

Specified version of key is not available

Service key not available

Mutual authentication failed

Incorrect message direction
Alternative authentication method required
Incorrect sequence number in message
Inappropriate type of checksum in message (checksum may be unsupported)
Desired path is unreachable

Too much data

Generic error

Field is too long for this implementation

The client trust failed or is not implemented

The KDC server trust failed or could not be verified

The signature is invalid
A higher encryption level is needed
User-to-user authorization is required
No TGT was presented or available

Incorrect domain or principal

Bad user name, or new computer/user account has not replicated to DC yet
New computer account has not replicated yet or computer is pre-w2k

administrator should reset the password on the account

Workstation restriction, or Authentication Policy Silo (look for event ID 4820)

Account disabled, expired, locked out, logon hours.

The user’s password has expired.

Usually means bad password

Frequently logged by computer accounts

Workstation’s clock too far out of sync with the DC’s

IP address change?

may be a memory allocation failure

No errors were found.
No information.
No information.
No information.
No information.
No information.
The username doesn’t exist.
The domain controller can’t find the server’s name in Active Directory.
Duplicate principal names exist.

Unique principal names are crucial for ensuring mutual authentication; duplicate principal names are strictly forbidden, even ac
No master key was found for the client or server. This usually means that the administrator should reset the password on the ac
A client has requested postdating of a Kerberos ticket (setting the ticket’s start time to a future date/time), or there is a time diff
There is a time difference between the KDC and the client.
There are logon restrictions on the user’s account, like a workstation restriction, smart card authentication requirement, or logon
The TGT is about to expire, or the client is attempting to delegate credentials to an SPN that’s not in its allowed-to-delegate-to
The KDC or client received a packet that it can’t decrypt.
The KDC, server, or client received a packet that it doesn’t have an appropriate encryption key for, so it can’t decrypt the ticket
Smart card logon is being attempted and the proper certificate can’t be located. This can happen because the wrong certificate
 A domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authenticat

This error code can’t occur in event 4768, but it can occur in event 4771.
No information.
There may be explicit restrictions on the account; the account could also be disabled, expired, or locked out.
No information.
Since the remote KDC may change its PKCROSS key while there are PKCROSS tickets still active, it should cache the old PK

See RFC1510 for more details.

No information.
No information.
The user’s password has expired.

This error code can’t occur in event 4768, but it does occur in event 4771.
The wrong password was provided.

This error code can’t occur in event 4768, but it does occur in event 4771.
Often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB

Most MIT-Kerberos clients will respond to this error by giving preauthentication, in which case the error can be ignored
No information.
No information.
The authenticator was encrypted with something other than the session key, so the client can’t decrypt the resulting message.

The modification of the message could be the result of an attack or network noise.
The smaller the value for the Kerberos policy setting Maximum lifetime for user ticket, the more likely it is that this error will o

Because ticket renewal is automatic, you shouldn’t have to do anything if you get this message.
The clocks on the KDC and the client aren’t synchronized.

If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the
A specific authenticator showed up twice; in other words, the KDC detected that this session ticket duplicates one that it has alr
The server has received a ticket that was meant for a different realm.
The KRB_TGS_REQ is being sent to the wrong KDC.
There was an account mismatch during protocol transition.

A client computer sent a timestamp whose value differs from that of the server’s timestamp by more than the Maximum toleran
The address of the computer sending the ticket is different from the valid address in the ticket. A possible cause of this could
A ticket was passed through a proxy server or NAT. The client is unaware of the address scheme used by the proxy server, so

An application checks the KRB_SAFE message to verify that the protocol version and type fields match the current version and
The target server finds that the message format is wrong. This applies to KRB_AP_REQ, KRB_SAFE, KRB_PRIV, and KRB
The use of UDP protocol is being attempted with user-to-user authentication.

The authentication data was encrypted with the wrong key for the intended server.
 The authentication data was modified in transit by a hardware or software error, or by an attacker.
The client sent the authentication data to the wrong server because of incorrect DNS data.

This event generates for KRB_SAFE and KRB_PRIV messages if an incorrect sequence number is included or if a sequence nu

See RFC4120 for more details.

The server can’t use the key version indicated by the ticket in the KRB_AP_REQ (e.g. it indicates an old key that the server do
The server doesn’t have the right key to decipher the ticket.

Because it's possible for the server to be registered in multiple realms with different keys in each realm, the realm field in the u
No information.
No information.
According to RFC4120, this error message is obsolete.
No information.
When the KDC receives a KRB_TGS_REQ message, it decrypts it. Afterwards, the user-supplied checksum in the Authenticato
is not collision-proof (with an error code of KRB_AP_ERR_INAPP_CKSUM).
No information.
The size of a ticket is too large to be transmitted reliably via UDP.

In a Windows environment, this message is purely informational. A Windows computer will automatically try TCP if UDP fail
Group membership has overloaded the Privilege Account Certificate (PAC).
Multiple recent password changes haven't been propagated
Crypto subsystem error caused by running out of memory.
The SPN is too long.
The SPN has too many parts

If a KDC that does not understand how to interpret a set high bit of the length encoding receives a request with the high order b

Each request (KRB_KDC_REQ) and response (KRB_KDC_REP or KRB_ERROR) sent over the TCP stream is preceded by th
A user’s smart card certificate has been revoked.
The root CA that issued the smart card certificate (in a chain) is not trusted by the domain controller.

The trustedCertifiers field contains a list of CAs trusted by the client, just in case the client doesn’t possess the KDC's public ke
This error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT
If the clientPublicValue field is filled in, indicating that the client wishes to use the Diffie-Hellman key agreement, then the KD
The client doesn't know that a service requires user-to-user authentication, so it requests, receives, and forwards a conventiona
The service doesn’t have a TGT for user-to-user authentication.
The client presented a cross-realm TGT to a realm other than the one specified in the TGT.

This error rarely occurs, but it’s typically caused by an incorrectly configured DNS.
Logo
n Logon Title Description
Type

Used only by
the System
account, for
0 System
example at
system
startup.

A user logged
2 Interactive on to this
computer.

A user or
computer
logged on to
3 Network
this computer
from the
network.

Batch logon
type is used
by batch
servers,
where
4 Batch processes can
be run on
behalf of a
user without
their direct
intervention.

The Service
Control
5 Service Manager
started a
service.
 This
workstation
7 Unlock
was
unlocked.

A user logged
on to this
computer
from the
network. The
user's
password was
passed to the
authentication
package in its
unhashed
form. The
built-in
8 NetworkCleartext authentication
packages all
hash
credentials
before
sending them
across the
network. The
credentials
don't traverse
the network
in plaintext
(also called
cleartext).
 A caller
cloned its
current token
and specified
new
credentials
for outbound
connections.
The new
9 NewCredentials
logon session
has the same
local identity,
but uses
different
credentials
for other
network
connections.

A user logged
on to this
computer
remotely
10 RemoteInteractive using
Terminal
Services or
Remote
Desktop.
 A user logged
on to this
computer
with network
credentials
that were
stored locally
11 CachedInteractive on the
computer.
The domain
controller
wasn't
contacted to
verify the
credentials.

Same as
RemoteIntera
ctive. This
12 CachedRemoteInteractive
type is used
for internal
auditing.

Workstation
13 CachedUnlock
logon.