Fields #

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Kerberos",
    "guid": "{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}",
    "event_source_name": "Kerberos",
    "event_id": 3,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T23:04:02.620676+00:00",
    "event_record_id": 12251,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "LogonSession": "LUDUS.DOMAIN\\domainadmin",
    "ClientTime": "",
    "ServerTime": "23:4:2.0000 3/13/2026 Z",
    "ErrorCode": "0x19",
    "ErrorMessage": "KDC_ERR_PREAUTH_REQUIRED",
    "ExtendedError": "",
    "ClientRealm": "",
    "ClientName": "",
    "ServerRealm": "ludus",
    "ServerName": "krbtgt/ludus",
    "TargetName": "krbtgt/ludus@ludus",
    "ErrorText": "",
    "File": "onecore\\ds\\security\\protocols\\kerberos\\client2\\logonapi.cxx",
    "Line": "e00",
    "Binary": "30353012A103020113A20B040930073005A0030201173009A103020102A20204003009A103020110A20204003009A10302010FA2020400"
  },
  "message": ""
}

Fields #

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Kerberos",
    "guid": "{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}",
    "event_source_name": "Kerberos",
    "event_id": 4,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-14T20:59:54.579371+00:00",
    "event_record_id": 12914,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Server": "domainadmin",
    "TargetRealm": "LUDUS.DOMAIN",
    "Targetname": "rpc/LAB-DC01",
    "ClientRealm": "LUDUS.DOMAIN",
    "Binary": ""
  },
  "message": ""
}

Fields #

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Kerberos",
    "guid": "{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}",
    "event_source_name": "Kerberos",
    "event_id": 5,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-02-10T01:12:10.274438+00:00",
    "event_record_id": 984,
    "correlation": {},
    "execution": {
      "process_id": 240,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Server": "jd-win11-22h2-1$",
    "KDCRealm": "LUDUS.DOMAIN",
    "Binary": ""
  },
  "message": ""
}

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Description

An error occurred while initializing the smart card logon library: Error.

Message #

An error occurred while initializing the smart card logon library: %1

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Fields #

Description

The service principal name (SPN) SPN is not registered, which caused Kerberos authentication to fail: ErrorCode. Use the setspn command-line tool to register the SPN.

Message #

The service principal name (SPN) %1 is not registered, which caused Kerberos authentication to fail: %2. Use the setspn command-line tool to register the SPN.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Kerberos",
    "guid": "98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1",
    "event_source_name": "",
    "event_id": 100,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T20:17:40.189125+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 8880
    },
    "channel": "Microsoft-Windows-Kerberos/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "SPN": "HTTP/nonexistent.domain.local@LUDUS.DOMAIN",
    "ErrorCode": 7
  },
  "message": ""
}

Message #

The service principal name (SPN) %1 is registered on multiple accounts which caused Kerberos authentication to fail: %2. Use the setspn command-line tool to identify the accounts and remove the duplicate registrations.

Fields #

Description

Trust validation of the certificate for the Kerberos Key Distribution Center (KDC) DomainController failed: ErrorCode. Use the CAPI2 diagnostic traces to identify the reason for the validation failure.

Message #

Trust validation of the certificate for the Kerberos Key Distribution Center (KDC) %1 failed: %2. Use the CAPI2 diagnostic traces to identify the reason for the validation failure.

Fields #

Description

Trust validation of the client certificate for ClientUpn failed: ErrorCode on KDC. Use the CAPI2 diagnostic traces to identify the reason for the validation failure.

Message #

Trust validation of the client certificate for %1 failed: %2 on KDC. Use the CAPI2 diagnostic traces to identify the reason for the validation failure.

Fields #

Description

The Kerberos Key Distribution Center (KDC) for the domain TargetDomain does not have a certificate installed or does not support logon using certificates: ErrorCode.

Message #

The Kerberos Key Distribution Center (KDC) for the domain %1 does not have a certificate installed or does not support logon using certificates: %2

Fields #

Description

The Kerberos client could not retrieve passwords for the group managed service account.

Message #

The Kerberos client could not retrieve passwords for the group managed service account.

LogonId: %1:%2
DomainName: %3
UserName: %4
Refresh: %5
Current File Time: %6
Error Code: %7

Fields #

Description

The Kerberos client received a KDC certificate that does not have KDC EKU (not based on Kerberos Authentication Template).

Message #

The Kerberos client received a KDC certificate that does not have KDC EKU (not based on Kerberos Authentication Template).

Error Code: %1

Fields #

Description

The Kerberos client received a KDC certificate that does not have a matched domain name.

Message #

The Kerberos client received a KDC certificate that does not have a matched domain name.

Expected Domain Name: %1
Error Code: %2

Fields #

Description

The Kerberos client could not send a Kerberos proxy request.

Message #

The Kerberos client could not send a Kerberos proxy request.

ProxyServer:
  ServerName: %1
  ServerPort: %2
  ServerVdir: %3
Error Code: %4
Status Code: %5

Fields #

Description

The Kerberos client could not find a suitable credential to use with the authentication proxy.

Message #

The Kerberos client could not find a suitable credential to use with the authentication proxy:

AuthProxy:
  Proxy: %1
  ProxyBypass: %2
  Epoch: %3
  Supported Schemes: %4
  First Scheme: %5
Digest Credential:
  Initialized: %6
  DomainAndUserName: %7
  Epoch: %8
Basic Credential:
  Initialized: %9
  DomainAndUserName: %10
  Epoch: %11

Fields #

Description

The Kerberos client could not locate a domain controller for domain TargetDomain: ErrorCode. Kerberos authentication requires communicating with a domain controller.

Message #

The Kerberos client could not locate a domain controller for domain %1: %2. Kerberos authentication requires communicating with a domain controller.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Kerberos",
    "guid": "98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1",
    "event_source_name": "",
    "event_id": 200,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T20:24:08.199756+00:00",
    "event_record_id": 2,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 10948
    },
    "channel": "Microsoft-Windows-Kerberos/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetDomain": "LUDUS.DOMAIN",
    "ErrorCode": 3221225572
  },
  "message": ""
}

Description

Attempt to use Kerberos unconstrained delegation failed.

Message #

Attempt to use Kerberos unconstrained delegation failed.

Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

Kerberos unconstrained delegation is not allowed for this user. For more information, see https://go.microsoft.com/fwlink/?linkid=856824.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Kerberos",
    "guid": "98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1",
    "event_source_name": "",
    "event_id": 201,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T20:05:05.241896+00:00",
    "event_record_id": 1,
    "correlation": {
      "ActivityID": "A5B814C5-B324-0003-DC14-B8A524B3DC01"
    },
    "execution": {
      "process_id": 984,
      "thread_id": 1072
    },
    "channel": "Microsoft-Windows-Kerberos/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetName": "cifs/LAB-DC01.ludus.domain",
    "UserName": "NULL",
    "DomainName": "NULL",
    "CallerPID": 4,
    "ProcessName": "",
    "ClientLUID": "0x3e7",
    "ClientUserName": "LAB-WIN11$",
    "ClientDomainName": "ludus",
    "MechanismOID": "1.2.840.48018.1.2.2"
  },
  "message": ""
}

Description

Attempt to export TGT session key failed.

Message #

Attempt to export TGT session key failed.

Target server: %1
Supplied user: %2
Supplied domain: %3
PID of client process: %4
Name of client process: %5
LUID of client process: %6
User identity of client process: %7
Domain name of user identity of client process: %8
Mechanism OID: %9

This device does not allow exporting TGT session keys. For more information, see https://go.microsoft.com/fwlink/?linkid=856825.

Fields #

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Security-Kerberos",
    "guid": "98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1",
    "event_source_name": "",
    "event_id": 202,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-15T05:16:41.040416+00:00",
    "event_record_id": 44,
    "correlation": {},
    "execution": {
      "process_id": 940,
      "thread_id": 2768
    },
    "channel": "Microsoft-Windows-Kerberos/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetName": "krbtgt/LUDUS.DOMAIN",
    "UserName": "domainadmin",
    "DomainName": "NULL",
    "CallerPID": 3788,
    "ProcessName": "C:\\Windows\\System32\\klist.exe",
    "ClientLUID": "0x4aa840e",
    "ClientUserName": "domainadmin",
    "ClientDomainName": "ludus",
    "MechanismOID": "NULL"
  },
  "message": ""
}

Message #

When Credential Guard is enabled, Kerberos does not accept PKINIT KDC replies using public key encryption to ensure Kerberos tickets cannot be exported from the device. For more information, see https://go.microsoft.com/fwlink/?linkid=856823.

Description

Kerberos does not accept PKINIT KDC replies using public key encryption.

Message #

Kerberos does not accept PKINIT KDC replies using public key encryption.

Description

The KDC used a hash algorithm for the PKINIT protocol that is being audited: Algorithm.

Message #

The KDC used a hash algorithm for the PKINIT protocol that is being audited: %1.

Fields #

Description

The Kerberos client used a hash algorithm for the PKINIT protocol that is being audited: Algorithm.

Message #

The Kerberos client used a hash algorithm for the PKINIT protocol that is being audited: %1.

Fields #

Description

The KDC used a hash algorithm for the PKINIT protocol that is not supported on the client: Algorithm.

Message #

The KDC used a hash algorithm for the PKINIT protocol that is not supported on the client: %1.

Fields #

Description

The Kerberos client and KDC could not agree on a policy compliant hash algorithm for PKINIT.

Message #

The Kerberos client and KDC could not agree on a policy compliant hash algorithm for PKINIT. 

Client supported algorithms: { %1 }
KDC supported algorithms: { %2 }

Fields #

Description

The Kerberos client has an invalid hash algorithm configuration for PKINIT. This might result in PKINIT failures.

Message #

The Kerberos client has an invalid hash algorithm configuration for PKINIT. This might result in PKINIT failures.

Description

The Kerberos client discovered domain controller DomainController for the domain TargetDomain.

Message #

The Kerberos client discovered domain controller %1 for the domain %2.

Fields #

Description

The Kerberos client used credentials from the Credential Manager for the target: 'Target'.

Message #

The Kerberos client used credentials from the Credential Manager for the target: '%1'.

Fields #

Description

The Kerberos client was bound to domain controller DesiredFlags for the domain CacheFlags but could not access this domain controller at the time.

Message #

The Kerberos client was bound to domain controller %1 for the domain %2 but could not access this domain controller at the time.

    DesiredFlags: %3
    CacheFlags: %4
    ErrorCode: %5

Fields #

Description

The Kerberos client updated passwords for the group managed service account.

Message #

The Kerberos client updated passwords for the group managed service account.

LogonId: %1:%2
DomainName: %3
UserName: %4
Update Current Passwords: %5
Update Old Passwords: %6
Refresh: %7
Previous File Time: %8
Current File Time: %9

Fields #

Description

The Kerberos client used the DES algorithm to encrypt data. This is unsupported with Credential Guard.

Message #

The Kerberos client used the DES algorithm to encrypt data. This is unsupported with Credential Guard.

Description

Export of TGT attempted through call package. This is unsupported with Credential Guard.

Message #

Export of TGT attempted through call package. This is unsupported with Credential Guard.

Process Name:%1
Service Host Tag:%2

Fields #

Description

Export of supplemental credentials attempted. This is unsupported with Credential Guard.

Message #

Export of supplemental credentials attempted. This is unsupported with Credential Guard.

Process Name:%1
Service Host Tag:%2

Fields #

Description

The Kerberos client has discovered a DMSA migration.

Message #

The Kerberos client has discovered a DMSA migration
Old Account Name: %1
New Account Name: %2
Domain Name: %3
Status: %4
Migration Complete: %5

Fields #

Description

Adding machine to the Principals Allowed Managed Password attribute of a DMSA.

Message #

Adding machine to the Principals Allowed Managed Password attribute of a DMSA
DC Used: %1
DMSA Distinguished Name: %2
Linked Account: %3
Domain Name: %4
Previously Authorized: %5
Status: %6

Fields #

Description

Fetching keys for a DMSA using the machine account.

Message #

Fetching keys for a DMSA using the machine account
KDC Used: %1
Domain Name: %2
Account Name: %3
Fetch Time: %4
Expiration Time: %5
Keys Updated: %6
Ntlm Updated: %7
Status: %8

Fields #

Description

Machine password migrated from LSA to VBS.

Message #

Machine password migrated from LSA to VBS
Enforcement Mode: %1

Fields #

Description

Machine Identity Isolation is currently in enforcement mode. To go back to disabled/audit mode, you must manually unjoin and rejoin the domain.

Message #

Machine Identity Isolation is currently in enforcement mode. To go back to disabled/audit mode, you must manually unjoin and rejoin the domain.

Description

Machine password change failed.

Message #

Machine password change failed
Status: %1
Migration Needed: %2
Policy: %3
Exit Reason: %4

Fields #

Description

An error occurred while retrieving a digital certificate from the inserted smart card. Error.

Message #

An error occurred while retrieving a digital certificate from the inserted smart card. %1

Fields #

Description

An error occurred in while attempting to verify the inserted smart card: Error.

Message #

An error occurred in while attempting to verify the inserted smart card: %1

Fields #

Description

An error occurred while signing a message using the inserted smart card: Error.

Message #

An error occurred while signing a message using the inserted smart card: %1

Fields #

Description

An error occurred while verifying a signed message using the inserted smart card: Error.

Message #

An error occurred while verifying a signed message using the inserted smart card: %1

Fields #

Description

An error occurred while verifying the digital certificate retrieved from the inserted smart card: Error.

Message #

An error occurred while verifying the digital certificate retrieved from the inserted smart card: %1

Fields #

Description

An error occurred while encrypting a message using the inserted smart card: Error.

Message #

An error occurred while encrypting a message using the inserted smart card: %1

Fields #

Description

An error occurred while decrypting a message using the inserted smart card: Error.

Message #

An error occurred while decrypting a message using the inserted smart card: %1

Fields #

Description

An error occurred while building a certificate context: Error.

Message #

An error occurred while building a certificate context: %1

Fields #

Description

An error occurred while signing a message: Error.

Message #

An error occurred while signing a message: %1

Fields #

Description

An error occurred while verifying a signed message: Error.

Message #

An error occurred while verifying a signed message: %1

Fields #

Description

An error occurred while encrypting a message: Error.

Message #

An error occurred while encrypting a message: %1

Fields #

Description

An error occurred while decrypting a message: Error.

Message #

An error occurred while decrypting a message: %1

Fields #

Description

An error occurred while retrieving some provider parameter: Error.

Message #

An error occurred while retrieving some provider parameter: %1

Fields #

Description

An error occurred while generating a random number: Error.

Message #

An error occurred while generating a random number: %1

Fields #

Message #

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server %1. The target name used was %3. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (%2) is different from the client domain (%4), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Fields #

Message #

The Kerberos client received a KRB_AP_ERR_TKT_NYV error from the server %1. This indicates that the ticket presented to that server is not yet valid (due to a discrepancy between ticket and server time. Contact your system administrator to make sure the client and server times are synchronized, and that the time for the Key Distribution Center Service (KDC) in realm %2 is synchronized with the KDC in the client realm.

Fields #

Description

A Kerberos error message was received.

Message #

A Kerberos error message was received:
 on logon session %1
 Client Time: %2
 Server Time: %3
 Error Code: %4 %5
 Extended Error: %6
 Client Realm: %7
 Client Name: %8
 Server Realm: %9
 Server Name: %10
 Target Name: %11
 Error Text: %12
 File: %13
 Line: %14
 Error Data is in record data.

Fields #

Description

The Kerberos SSPI package generated an output token of size NeededSize bytes, which was too large to fit in the token buffer of size ActualSize bytes, provided by process id ClientProcessID.

Message #

The Kerberos SSPI package generated an output token of size %1 bytes, which was too large to fit in the token buffer of size %2 bytes, provided by process id %3.
 
 The output SSPI token size is probably the result of the user %4 being a member of a large number of groups.
 
 It is recommended to minimize the number of groups a user belongs to. If the problem can not be corrected by reducing the group memberships of this user, contact your system administrator to increase the maximum token size, which is configured on each computer individually using the registry value: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\MaxTokenSize.

Fields #

Description

The Kerberos subsystem currently cannot retrieve tickets from your domain controller using the UDP network protocol. This is typically due to network problems. Contact your system administrator.

Message #

The Kerberos subsystem currently cannot retrieve tickets from your domain controller using the UDP network protocol. This is typically due to network problems. Contact your system administrator.

Message #

While using your smart card over a VPN connection, the Kerberos subsystem encountered an error. Typically, this indicates the card has been pulled from the card reader during the VPN session. One possible solution is to close the VPN connection, reinsert the card, and establish the connection again.

Message #

The smart card PIN stored in Credential Manager is missing or invalid. The smart card PIN is stored in memory only for the current interactive logon session, and is deleted if the card is removed from the card reader or when the user logs off. To resolve this error, keep the card in the reader, open Credential Manager in Control Panel, and reenter the PIN for the credential %1.

Fields #

Message #

The password stored in Credential Manager is invalid. This might be caused by the logged on user changing the password from this computer or a different computer. To resolve this error, open Credential Manager in Control Panel, and reenter the password for the credential %1.

Fields #

Description

The Kerberos SSPI package generated an output token of size NeededSize bytes, which was too large to fit in the token buffer of size ActualSize bytes, provided by process id ClientProcessID.

Message #

The Kerberos SSPI package generated an output token of size %1 bytes, which was too large to fit in the token buffer of size %2 bytes, provided by process id %3.
 
 The application needs to be modified to supply a token buffer of size at least %4 bytes.

Fields #

Message #

The delegated TGT for the user (%2) has expired. A renewal was attempted and failed with error %8. The server logon session (%1) has stopped delegating the user's credential. For future unconstrained delegation to succeed, the user needs to authenticate again to the server. 

TGT Details:
    Client: %2
    Server: %3
    Flags: %4
    Start Time: %5
    End Time: %6
    Renew Until: %7

Fields #

Message #

The KDC certificate for the domain controller does not contain the KDC Extended Key Usage (EKU): 1.3.6.1.5.2.3.5: Error Code %1. The domain administrator will need to obtain a certificate with the KDC EKU for the domain controller to resolve this error. When using Windows Server Certificate Services create a certificated based on the Kerberos Authentication Template.

Fields #

Message #

The KDC certificate for the domain controller does not have the DNS name of domain %1 in the Subject Alternative Name (SAN) attribute: Error Code %2. The domain administrator will need to obtain a KDC certificate with the DNS domain name in the SAN attribute for the domain controller to resolve this error. When using Windows Server Certificate Services create a certificated based on the Kerberos Authentication Template.

Fields #

Fields #

Fields #

Fields #

Description

The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client ClientName in realm Realm could not be validated.

Message #

The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client %1 in realm %2 could not be validated.
 
 This error is usually caused by domain trust failures; Contact your system administrator.

Fields #

Description

The domain controller rejected the client certificate of user Message, used for smart card logon. The following error was returned from the certificate validation process: Name.

Message #

The domain controller rejected the client certificate of user %2, used for smart card logon. The following error was returned from the certificate validation process: %1.

Fields #

Description

The client has failed to validate the domain controller certificate for Message. The following error was returned from the certificate validation process: Name.

Message #

The client has failed to validate the domain controller certificate for %2. The following error was returned from the certificate validation process: %1.

Fields #

Message #

The Distinguished Name in the subject field of your smart card logon certificate does not contain enough information to identify the appropriate domain on an non-domain joined computer. Contact your system administrator.

Message #

The Kerberos SSPI package failed to find the smart card certificate in the certificate store. To remedy this failure, logon as user %1 and insert the smart card into the smart card reader, then use the Certificates snap-in to verify that the smart card certificate is in the user's personal certificate store.

Fields #

Description

The Kerberos SSPI package failed to locate the forest or domain Forest to search. Ensure that the Use forest search order Group Policy is correctly configured, and that this forest or domain is available.

Message #

The Kerberos SSPI package failed to locate the forest or domain %1 to search.  Ensure that the Use forest search order Group Policy is correctly configured, and that this forest or domain is available.

Fields #