Microsoft-Windows-Security-Kerberos
90 events across 3 channels
Event ID 3: A Kerberos error message was received:
#Fields #
| Name | Description |
|---|---|
LogonSession UnicodeString | |
ClientTime UnicodeString | |
ServerTime UnicodeString | |
ErrorCode UnicodeString | |
ErrorMessage UnicodeString | |
ExtendedError UnicodeString | |
ClientRealm UnicodeString | |
ClientName UnicodeString | |
ServerRealm UnicodeString | |
ServerName UnicodeString | |
TargetName UnicodeString | |
ErrorText UnicodeString | |
File UnicodeString | |
Line UnicodeString | |
__binLength UInt32 | |
binary Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Kerberos",
"event_id": 3,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-13T23:09:23.8825311+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"ServerTime": "23:9:23.0000 3/13/2026 Z",
"ErrorText": null,
"ServerRealm": "LUDUS.DOMAIN",
"Line": "e00",
"TargetName": "krbtgt/LUDUS.DOMAIN@LUDUS.DOMAIN",
"ServerName": "krbtgt/LUDUS.DOMAIN",
"ErrorCode": "0x19",
"File": "onecore\\ds\\security\\protocols\\kerberos\\client2\\logonapi.cxx",
"ClientRealm": null,
"ClientTime": null,
"ErrorMessage": "KDC_ERR_PREAUTH_REQUIRED",
"LogonSession": "LUDUS.DOMAIN\\domainadmin",
"ExtendedError": null,
"ClientName": null
}
}
Event ID 3: A Kerberos error message was received:
#Fields #
| Name | Description |
|---|---|
LogonSession | |
ClientTime | |
ServerTime | |
ErrorCode | |
ErrorMessage | |
ExtendedError | |
ClientRealm | |
ClientName | |
ServerRealm | |
ServerName | |
TargetName | |
ErrorText | |
File | |
Line | |
__binLength | |
binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Kerberos",
"guid": "{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}",
"event_source_name": "Kerberos",
"event_id": 3,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-13T23:04:02.620676+00:00",
"event_record_id": 12251,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "System",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"LogonSession": "LUDUS.DOMAIN\\domainadmin",
"ClientTime": "",
"ServerTime": "23:4:2.0000 3/13/2026 Z",
"ErrorCode": "0x19",
"ErrorMessage": "KDC_ERR_PREAUTH_REQUIRED",
"ExtendedError": "",
"ClientRealm": "",
"ClientName": "",
"ServerRealm": "ludus",
"ServerName": "krbtgt/ludus",
"TargetName": "krbtgt/ludus@ludus",
"ErrorText": "",
"File": "onecore\\ds\\security\\protocols\\kerberos\\client2\\logonapi.cxx",
"Line": "e00",
"Binary": "30353012A103020113A20B040930073005A0030201173009A103020102A20204003009A103020110A20204003009A10302010FA2020400"
},
"message": ""
}
Event ID 4: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server
#Fields #
| Name | Description |
|---|---|
Server UnicodeString | |
TargetRealm UnicodeString | |
Targetname UnicodeString | |
ClientRealm UnicodeString | |
__binLength UInt32 | |
binary Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Kerberos",
"event_id": 4,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-17T18:20:50.9202849+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"TargetRealm": "LUDUS.DOMAIN",
"Targetname": "rpc/JD-DC01-2022",
"Server": "domainadmin",
"ClientRealm": "LUDUS.DOMAIN"
}
}
Event ID 4: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server
#Fields #
| Name | Description |
|---|---|
Server | |
TargetRealm | |
Targetname | |
ClientRealm | |
__binLength | |
binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Kerberos",
"guid": "{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}",
"event_source_name": "Kerberos",
"event_id": 4,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-03-14T20:59:54.579371+00:00",
"event_record_id": 12914,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "System",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Server": "domainadmin",
"TargetRealm": "LUDUS.DOMAIN",
"Targetname": "rpc/LAB-DC01",
"ClientRealm": "LUDUS.DOMAIN",
"Binary": ""
},
"message": ""
}
Event ID 5: The Kerberos client received a KRB_AP_ERR_TKT_NYV error from the server
#Fields #
| Name | Description |
|---|---|
Error UnicodeString | |
__binLength UInt32 | |
binary Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Kerberos",
"event_id": 5,
"level": 2,
"task": 0,
"opcode": 0,
"time_created": "2026-04-20T19:20:46.7822967+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "System"
},
"event_data": {
"Server": "desktop-ff3n5xk$",
"KDCRealm": "LUDUS.DOMAIN"
}
}
Event ID 5: The Kerberos client received a KRB_AP_ERR_TKT_NYV error from the server
#Fields #
| Name | Description |
|---|---|
Error | |
__binLength | |
binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Kerberos",
"guid": "{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}",
"event_source_name": "Kerberos",
"event_id": 5,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-02-10T01:12:10.274438+00:00",
"event_record_id": 984,
"correlation": {},
"execution": {
"process_id": 240,
"thread_id": 0
},
"channel": "System",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Server": "jd-win11-22h2-1$",
"KDCRealm": "LUDUS.DOMAIN",
"Binary": ""
},
"message": ""
}
Event ID 6: The Kerberos SSPI package generated an output token of size Error bytes, which was too large to fit in the token buffer of size __binLength bytes, provided by process id
#Fields #
| Name | Description |
|---|---|
Error UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 7: The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client Error in realm __binLength could not be validated
#Fields #
| Name | Description |
|---|---|
Error UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 8: The domain controller rejected the client certificate of user __binLength, used for smart card logon
#Fields #
| Name | Description |
|---|---|
Error UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 9: The client has failed to validate the domain controller certificate for
#Fields #
| Name | Description |
|---|---|
Error UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 10: The Kerberos subsystem currently cannot retrieve tickets from your domain controller using the UDP network protocol
#Fields #
| Name | Description |
|---|---|
Error UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 11: The Distinguished Name in the subject field of your smart card logon certificate does not contain enough information to identify the appropriate domain on an non-domain joined computer
#Fields #
| Name | Description |
|---|---|
Error UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 12: While using your smart card over a VPN connection, the Kerberos subsystem encountered an error
#Fields #
| Name | Description |
|---|---|
Error UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 13: An error occurred while initializing the smart card logon library: Error.
#Event ID 14: The password stored in Credential Manager is invalid
#Fields #
| Name | Description |
|---|---|
Error UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 15: The Kerberos SSPI package generated an output token of size Error bytes, which was too large to fit in the token buffer of size __binLength bytes, provided by process id
#Fields #
| Name | Description |
|---|---|
Error UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 16: The Kerberos SSPI package failed to find the smart card certificate in the certificate store
#Fields #
| Name | Description |
|---|---|
Error UnicodeString | |
__binLength UInt32 | |
binary Binary |
Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Provider_Name | eq | Kerberos-Key-Distribution-Center | 1 rule | sigma |
Provider_Name | eq | Microsoft-Windows-Kerberos-Key-Distribution-Center | 1 rule | sigma |
Event ID 17: The Kerberos SSPI package failed to locate the forest or domain Error to search
#Fields #
| Name | Description |
|---|---|
Error UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 18: The delegated TGT for the user (__binLength) has expired
#Fields #
| Name | Description |
|---|---|
Error UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 19: The KDC certificate for the domain controller does not contain the KDC Extended Key Usage (EKU): 1
#Fields #
| Name | Description |
|---|---|
Error UnicodeString | |
__binLength UInt32 | |
binary Binary |
Event ID 20: The KDC certificate for the domain controller does not have the DNS name of domain DomainName in the Subject Alternative Name (SAN) attribute: Error Code
#Fields #
| Name | Description |
|---|---|
DomainName UnicodeString | |
ErrorCode UnicodeString |
Event ID 27: Kerberos client event 27 (manifest stub).
#Detection Patterns #
Common Indicators #
Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.
| Field | Kind | Value | Rules | Vendors |
|---|---|---|---|---|
Provider_Name | eq | Kerberos-Key-Distribution-Center | 1 rule | sigma |
Provider_Name | eq | Microsoft-Windows-Kerberos-Key-Distribution-Center | 1 rule | sigma |
Event ID 100: The service principal name (SPN) SPN is not registered, which caused Kerberos authentication to fail: ErrorCode.
#Description
The service principal name (SPN) SPN is not registered, which caused Kerberos authentication to fail: ErrorCode. Use the setspn command-line tool to register the SPN.
Message #
Fields #
| Name | Description |
|---|---|
SPN UnicodeString | |
ErrorCode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Kerberos",
"guid": "98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1",
"event_source_name": "",
"event_id": 100,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T20:17:40.189125+00:00",
"event_record_id": 1,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 8880
},
"channel": "Microsoft-Windows-Kerberos/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SPN": "HTTP/nonexistent.domain.local@LUDUS.DOMAIN",
"ErrorCode": 7
},
"message": ""
}
Event ID 101: The service principal name (SPN) SPN is registered on multiple accounts which caused Kerberos authentication to fail: ErrorCode.
#Description
The service principal name (SPN) SPN is registered on multiple accounts which caused Kerberos authentication to fail: ErrorCode. Use the setspn command-line tool to identify the accounts and remove the duplicate registrations.
Message #
Fields #
| Name | Description |
|---|---|
SPN UnicodeString | |
ErrorCode UInt32 |
Event ID 102: Trust validation of the certificate for the Kerberos Key Distribution Center (KDC) DomainController failed: ErrorCode.
#Event ID 103: Trust validation of the client certificate for ClientUpn failed: ErrorCode on KDC.
#Event ID 104: The Kerberos Key Distribution Center (KDC) for the domain TargetDomain does not have a certificate installed or does not support logon using certificates: ErrorCode.
#Event ID 105: The Kerberos client could not retrieve passwords for the group managed service account.
#Event ID 106: The Kerberos client received a KDC certificate that does not have KDC EKU (not based on Kerberos Authentication Template).
#Event ID 107: The Kerberos client received a KDC certificate that does not have a matched domain name.
#Event ID 108: The Kerberos client could not send a Kerberos proxy request.
#Description
The Kerberos client could not send a Kerberos proxy request.
Message #
Fields #
| Name | Description |
|---|---|
ServerName UnicodeString | [ProxyServer] ServerName. |
ServerPort UInt32 | [ProxyServer] ServerPort. |
ServerVdir UnicodeString | [ProxyServer] ServerVdir. |
ErrorCode UInt32 | |
Status UInt32 | NTSTATUS reference |
Event ID 109: The Kerberos client could not find a suitable credential to use with the authentication proxy.
#Description
The Kerberos client could not find a suitable credential to use with the authentication proxy.
Message #
Fields #
| Name | Description |
|---|---|
Proxy UnicodeString | [AuthProxy] Proxy. |
ProxyBypass UnicodeString | [AuthProxy] ProxyBypass. |
ProxyEpoch UInt32 | |
SupportedSchemes UInt32 | |
FirstScheme UInt32 | |
DigestCredInitialized Boolean | |
DigestCredDomainAndUserName UnicodeString | |
DigestCredEpoch UInt32 | |
BasicCredInitialized Boolean | |
BasicCredDomainAndUserName UnicodeString | |
BasicCredEpoch UInt32 |
Event ID 200: The Kerberos client could not locate a domain controller for domain TargetDomain: ErrorCode.
#Description
The Kerberos client could not locate a domain controller for domain TargetDomain: ErrorCode. Kerberos authentication requires communicating with a domain controller.
Message #
Fields #
| Name | Description |
|---|---|
TargetDomain UnicodeString | |
ErrorCode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Kerberos",
"guid": "98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1",
"event_source_name": "",
"event_id": 200,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T20:24:08.199756+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 968,
"thread_id": 10948
},
"channel": "Microsoft-Windows-Kerberos/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"TargetDomain": "LUDUS.DOMAIN",
"ErrorCode": 3221225572
},
"message": ""
}
Event ID 201: Attempt to use Kerberos unconstrained delegation failed.
#Description
Attempt to use Kerberos unconstrained delegation failed.
Message #
Fields #
| Name | Description |
|---|---|
TargetName UnicodeString | |
UserName UnicodeString | |
DomainName UnicodeString | |
CallerPID UInt32 | |
ProcessName UnicodeString | |
ClientLUID HexInt64 | |
ClientUserName UnicodeString | |
ClientDomainName UnicodeString | |
MechanismOID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Kerberos",
"guid": "98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1",
"event_source_name": "",
"event_id": 201,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-13T20:05:05.241896+00:00",
"event_record_id": 1,
"correlation": {
"ActivityID": "A5B814C5-B324-0003-DC14-B8A524B3DC01"
},
"execution": {
"process_id": 984,
"thread_id": 1072
},
"channel": "Microsoft-Windows-Kerberos/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"TargetName": "cifs/LAB-DC01.ludus.domain",
"UserName": "NULL",
"DomainName": "NULL",
"CallerPID": 4,
"ProcessName": "",
"ClientLUID": "0x3e7",
"ClientUserName": "LAB-WIN11$",
"ClientDomainName": "ludus",
"MechanismOID": "1.2.840.48018.1.2.2"
},
"message": ""
}
Event ID 202: Attempt to export TGT session key failed.
#Description
Attempt to export TGT session key failed.
Message #
Fields #
| Name | Description |
|---|---|
TargetName UnicodeString | |
UserName UnicodeString | |
DomainName UnicodeString | |
CallerPID UInt32 | |
ProcessName UnicodeString | |
ClientLUID HexInt64 | |
ClientUserName UnicodeString | |
ClientDomainName UnicodeString | |
MechanismOID UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Kerberos",
"guid": "98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1",
"event_source_name": "",
"event_id": 202,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-15T05:16:41.040416+00:00",
"event_record_id": 44,
"correlation": {},
"execution": {
"process_id": 940,
"thread_id": 2768
},
"channel": "Microsoft-Windows-Kerberos/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"TargetName": "krbtgt/LUDUS.DOMAIN",
"UserName": "domainadmin",
"DomainName": "NULL",
"CallerPID": 3788,
"ProcessName": "C:\\Windows\\System32\\klist.exe",
"ClientLUID": "0x4aa840e",
"ClientUserName": "domainadmin",
"ClientDomainName": "ludus",
"MechanismOID": "NULL"
},
"message": ""
}
Event ID 203: When Credential Guard is enabled, Kerberos does not accept PKINIT KDC replies using public key encryption to ensure Kerberos tickets cannot be expo...
#Description
When Credential Guard is enabled, Kerberos does not accept PKINIT KDC replies using public key encryption to ensure Kerberos tickets cannot be exported from the device. For more information, see https://go.microsoft.com/fwlink/?linkid=856823.
Message #
Event ID 204: Kerberos does not accept PKINIT KDC replies using public key encryption.
#Description
Kerberos does not accept PKINIT KDC replies using public key encryption.
Message #
Event ID 205: The KDC used a hash algorithm for the PKINIT protocol that is being audited: Algorithm.
#Event ID 206: The Kerberos client used a hash algorithm for the PKINIT protocol that is being audited: Algorithm.
#Event ID 207: The KDC used a hash algorithm for the PKINIT protocol that is not supported on the client: Algorithm.
#Event ID 208: The Kerberos client and KDC could not agree on a policy compliant hash algorithm for PKINIT.
#Event ID 209: The Kerberos client has an invalid hash algorithm configuration for PKINIT.
#Description
The Kerberos client has an invalid hash algorithm configuration for PKINIT. This might result in PKINIT failures.
Message #
Event ID 300: The Kerberos client discovered domain controller DomainController for the domain TargetDomain.
#Event ID 301: The Kerberos client used credentials from the Credential Manager for the target: 'Target'.
#Event ID 302: The Kerberos client was bound to domain controller DesiredFlags for the domain CacheFlags but could not access this domain controller at the time.
#Description
The Kerberos client was bound to domain controller DesiredFlags for the domain CacheFlags but could not access this domain controller at the time.
Message #
Fields #
| Name | Description |
|---|---|
DomainController UnicodeString | |
TargetDomain UnicodeString | |
DesiredFlags UInt32 | |
CacheFlags UInt32 | |
ErrorCode UInt32 | DesiredFlags. |
Event ID 303: The Kerberos client updated passwords for the group managed service account.
#Description
The Kerberos client updated passwords for the group managed service account.
Message #
Fields #
| Name | Description |
|---|---|
LuidHighPart UInt32 | |
LuidLowPart UInt32 | |
DomainName UnicodeString | |
UserName UnicodeString | |
UpdateCurrent Boolean | |
UpdateOld Boolean | |
Refresh Boolean | |
LastFileTime UnicodeString | |
CurrentFileTime UnicodeString |
Event ID 304: The Kerberos client used the DES algorithm to encrypt data.
#Description
The Kerberos client used the DES algorithm to encrypt data. This is unsupported with Credential Guard.
Message #
Event ID 305: Export of TGT attempted through call package.
#Event ID 306: Export of supplemental credentials attempted.
#Event ID 307: The Kerberos client has discovered a DMSA migration.
#Description
The Kerberos client has discovered a DMSA migration.
Message #
Fields #
| Name | Description |
|---|---|
OldAccount UnicodeString | |
NewAccount UnicodeString | |
DomainName UnicodeString | |
Status UInt32 | NTSTATUS reference |
MigrationComplete Boolean |
Event ID 308: Adding machine to the Principals Allowed Managed Password attribute of a DMSA.
#Description
Adding machine to the Principals Allowed Managed Password attribute of a DMSA.
Message #
Fields #
| Name | Description |
|---|---|
DC UnicodeString | |
DN UnicodeString | |
Account UnicodeString | |
Domain UnicodeString | |
PreviouslyAuthorized Boolean | |
Status UInt32 | NTSTATUS reference |
Event ID 309: Fetching keys for a DMSA using the machine account.
#Description
Fetching keys for a DMSA using the machine account.
Message #
Fields #
| Name | Description |
|---|---|
KDC UnicodeString | |
Domain UnicodeString | |
Account UnicodeString | |
Fetch UnicodeString | |
Expiration UnicodeString | |
KeyUpdate Boolean | |
NtlmUpdate Boolean | |
Status UInt32 | NTSTATUS reference |
Event ID 310: Machine password migrated from LSA to VBS Enforcement Mode.
#Event ID 311: Machine Identity Isolation is currently in enforcement mode.
#Description
Machine Identity Isolation is currently in enforcement mode. To go back to disabled/audit mode, you must manually unjoin and rejoin the domain.
Message #
Event ID 312: Machine password change failed.
#Description
Machine password change failed.
Message #
Fields #
| Name | Description |
|---|---|
Status UInt32 | NTSTATUS reference |
MigrationNeeded Boolean | |
EnforcementMode UInt32 | |
ExitReason UInt32 |
Event ID 65541: An error occurred while retrieving a digital certificate from the inserted smart card.
#Description
An error occurred while retrieving a digital certificate from the inserted smart card. Error.
Message #
Fields #
| Name | Description |
|---|---|
Error UnicodeString | |
binary Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Kerberos",
"event_id": 5,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-15T23:59:20.7606759+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"Server": "jd-win11-22h2-1$",
"KDCRealm": "LUDUS.DOMAIN"
}
}
Event ID 65542: An error occurred in while attempting to verify the inserted smart card: Error.
#Event ID 65543: An error occurred while signing a message using the inserted smart card: Error.
#Event ID 65544: An error occurred while verifying a signed message using the inserted smart card: Error.
#Event ID 65545: An error occurred while verifying the digital certificate retrieved from the inserted smart card: Error.
#Event ID 65546: An error occurred while encrypting a message using the inserted smart card: Error.
#Event ID 65547: An error occurred while decrypting a message using the inserted smart card: Error.
#Event ID 65548: An error occurred while building a certificate context: Error.
#Event ID 65550: An error occurred while signing a message: Error.
#Event ID 65551: An error occurred while verifying a signed message: Error.
#Event ID 65552: An error occurred while encrypting a message: Error.
#Event ID 65553: An error occurred while decrypting a message: Error.
#Event ID 65554: An error occurred while retrieving some provider parameter: Error.
#Event ID 65555: An error occurred while generating a random number: Error.
#Event ID 1073741828: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server Server.
#Description
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server Server. The target name used was Targetname. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (TargetRealm) is different from the client domain (ClientRealm), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Message #
Fields #
| Name | Description |
|---|---|
Server UnicodeString | |
TargetRealm UnicodeString | |
Targetname UnicodeString | |
ClientRealm UnicodeString | |
binary Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Kerberos",
"event_id": 4,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-17T18:20:50.9202849+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"TargetRealm": "LUDUS.DOMAIN",
"Targetname": "rpc/JD-DC01-2022",
"Server": "domainadmin",
"ClientRealm": "LUDUS.DOMAIN"
}
}
Event ID 1073741829: The Kerberos client received a KRB_AP_ERR_TKT_NYV error from the server Server.
#Description
The Kerberos client received a KRB_AP_ERR_TKT_NYV error from the server Server. This indicates that the ticket presented to that server is not yet valid (due to a discrepancy between ticket and server time. Contact your system administrator to make sure the client and server times are synchronized, and that the time for the Key Distribution Center Service (KDC) in realm KDCRealm is synchronized with the KDC in the client realm.
Message #
Fields #
| Name | Description |
|---|---|
Server UnicodeString | |
KDCRealm UnicodeString | |
binary Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Kerberos",
"event_id": 5,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-15T23:59:20.7606759+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"Server": "jd-win11-22h2-1$",
"KDCRealm": "LUDUS.DOMAIN"
}
}
Event ID 2147483651: A Kerberos error message was received.
#Description
A Kerberos error message was received.
Message #
Fields #
| Name | Description |
|---|---|
Client_Time | |
Server_Time | [A Kerberos error message was received] Client Time. |
Error_Code | [A Kerberos error message was received] Server Time. |
Extended_Error | [A Kerberos error message was received] Error Code. |
Client_Realm | |
Client_Name | [A Kerberos error message was received] Extended Error. |
Server_Realm | [A Kerberos error message was received] Client Realm. |
Server_Name | [A Kerberos error message was received] Client Name. |
Target_Name | [A Kerberos error message was received] Server Realm. |
Error_Text | [A Kerberos error message was received] Server Name. |
File UnicodeString | [A Kerberos error message was received] Target Name. |
Line UnicodeString | [A Kerberos error message was received] Error Text. |
LogonSession UnicodeString | |
ClientTime UnicodeString | |
ServerTime UnicodeString | |
ErrorCode UnicodeString | |
ErrorMessage UnicodeString | |
ExtendedError UnicodeString | |
ClientRealm UnicodeString | |
ClientName UnicodeString | |
ServerRealm UnicodeString | |
ServerName UnicodeString | |
TargetName UnicodeString | |
ErrorText UnicodeString | |
binary Binary |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Security-Kerberos",
"event_id": 3,
"level": "Error",
"task": null,
"opcode": null,
"time_created": "2026-03-13T23:09:23.8825311+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "System"
},
"event_data": {
"ServerTime": "23:9:23.0000 3/13/2026 Z",
"ErrorText": null,
"ServerRealm": "LUDUS.DOMAIN",
"Line": "e00",
"TargetName": "krbtgt/LUDUS.DOMAIN@LUDUS.DOMAIN",
"ServerName": "krbtgt/LUDUS.DOMAIN",
"ErrorCode": "0x19",
"File": "onecore\\ds\\security\\protocols\\kerberos\\client2\\logonapi.cxx",
"ClientRealm": null,
"ClientTime": null,
"ErrorMessage": "KDC_ERR_PREAUTH_REQUIRED",
"LogonSession": "LUDUS.DOMAIN\\domainadmin",
"ExtendedError": null,
"ClientName": null
}
}
Event ID 2147483654: The Kerberos SSPI package generated an output token of size NeededSize bytes, which was too large to fit in the token buffer of size ActualSize bytes, provided by ...
#Description
The Kerberos SSPI package generated an output token of size NeededSize bytes, which was too large to fit in the token buffer of size ActualSize bytes, provided by process id ClientProcessID.
Message #
Fields #
| Name | Description |
|---|---|
NeededSize UnicodeString | |
ActualSize UnicodeString | |
ClientProcessID UnicodeString | |
ClientName UnicodeString | |
binary Binary |
Event ID 2147483658: The Kerberos subsystem currently cannot retrieve tickets from your domain controller using the UDP network protocol.
#Description
The Kerberos subsystem currently cannot retrieve tickets from your domain controller using the UDP network protocol. This is typically due to network problems. Contact your system administrator.
Message #
Event ID 2147483660: While using your smart card over a VPN connection, the Kerberos subsystem encountered an error.
#Description
While using your smart card over a VPN connection, the Kerberos subsystem encountered an error. Typically, this indicates the card has been pulled from the card reader during the VPN session. One possible solution is to close the VPN connection, reinsert the card, and establish the connection again.
Message #
Event ID 2147483661: The smart card PIN stored in Credential Manager is missing or invalid.
#Description
The smart card PIN stored in Credential Manager is missing or invalid. The smart card PIN is stored in memory only for the current interactive logon session, and is deleted if the card is removed from the card reader or when the user logs off. To resolve this error, keep the card in the reader, open Credential Manager in Control Panel, and reenter the PIN for the credential Username.
Message #
Fields #
| Name | Description |
|---|---|
Username UnicodeString | |
binary Binary |
Event ID 2147483662: The password stored in Credential Manager is invalid.
#Description
The password stored in Credential Manager is invalid. This might be caused by the logged on user changing the password from this computer or a different computer. To resolve this error, open Credential Manager in Control Panel, and reenter the password for the credential Username.
Message #
Fields #
| Name | Description |
|---|---|
Username UnicodeString | |
binary Binary |
Event ID 2147483663: The Kerberos SSPI package generated an output token of size NeededSize bytes, which was too large to fit in the token buffer of size ActualSize bytes, provided by ...
#Description
The Kerberos SSPI package generated an output token of size NeededSize bytes, which was too large to fit in the token buffer of size ActualSize bytes, provided by process id ClientProcessID.
Message #
Fields #
| Name | Description |
|---|---|
NeededSize UnicodeString | |
ActualSize UnicodeString | |
ClientProcessID UnicodeString | |
RequiredSize UnicodeString | |
binary Binary |
Event ID 2147483666: The delegated TGT for the user has expired.
#Description
The delegated TGT for the user (Server) has expired. A renewal was attempted and failed with error ClientPrincipalName. The server logon session (Client) has stopped delegating the user's credential. For future unconstrained delegation to succeed, the user needs to authenticate again to the server. TGT Details: Client: Server Server: Flags Flags: Start_Time Start Time: End_Time End Time: Renew_Until Renew Until: Luid
Message #
Fields #
| Name | Description |
|---|---|
Client | |
Server | [TGT Details] Client. |
Flags | [TGT Details] Server. |
Start_Time | [TGT Details] Flags. |
End_Time | |
Renew_Until | |
Luid UnicodeString | |
ClientPrincipalName UnicodeString | |
ServicePrincipalName UnicodeString | |
TicketFlags UnicodeString | |
StartTime UnicodeString | |
EndTime UnicodeString | |
RenewUntil UnicodeString | |
ErrorCode UnicodeString |
Event ID 2147483667: The KDC certificate for the domain controller does not contain the KDC Extended Key Usage (EKU): 1.
#Description
The KDC certificate for the domain controller does not contain the KDC Extended Key Usage (EKU): 1.3.6.1.5.2.3.5: Error Code ErrorCode. The domain administrator will need to obtain a certificate with the KDC EKU for the domain controller to resolve this error. When using Windows Server Certificate Services create a certificated based on the Kerberos Authentication Template.
Message #
Fields #
| Name | Description |
|---|---|
ErrorCode UnicodeString |
Event ID 2147483668: The KDC certificate for the domain controller does not have the DNS name of domain DomainName in the Subject Alternative Name (SAN) attribute: Error Code ErrorCode.
#Description
The KDC certificate for the domain controller does not have the DNS name of domain DomainName in the Subject Alternative Name (SAN) attribute: Error Code ErrorCode. The domain administrator will need to obtain a KDC certificate with the DNS domain name in the SAN attribute for the domain controller to resolve this error. When using Windows Server Certificate Services create a certificated based on the Kerberos Authentication Template.
Message #
Fields #
| Name | Description |
|---|---|
DomainName UnicodeString | |
ErrorCode UnicodeString |
Event ID 2147483669: During Kerberos Network Ticket Logon, the service ticket for Account .
#Fields #
| Name | Description |
|---|---|
param1 | |
param2 | |
param3 | |
param4 |
Event ID 2147483670: During Kerberos Network Ticket Logon, the service ticket for Account .
#Fields #
| Name | Description |
|---|---|
Reason | |
ErrorCode |
Event ID 2147483671: During Kerberos Network Ticket Logon, the service ticket for Account .
#Fields #
| Name | Description |
|---|---|
param1 | |
param2 |
Event ID 3221225479: The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client ClientName in realm Realm could not be valid...
#Event ID 3221225480: The domain controller rejected the client certificate of user Message, used for smart card logon.
#Event ID 3221225481: The client has failed to validate the domain controller certificate for Message.
#Event ID 3221225483: The Distinguished Name in the subject field of your smart card logon certificate does not contain enough information to identify the appropriate do...
#Description
The Distinguished Name in the subject field of your smart card logon certificate does not contain enough information to identify the appropriate domain on an non-domain joined computer. Contact your system administrator.
Message #
Event ID 3221225488: The Kerberos SSPI package failed to find the smart card certificate in the certificate store.
#Description
The Kerberos SSPI package failed to find the smart card certificate in the certificate store. To remedy this failure, logon as user Username and insert the smart card into the smart card reader, then use the Certificates snap-in to verify that the smart card certificate is in the user's personal certificate store.
Message #
Fields #
| Name | Description |
|---|---|
Username UnicodeString | |
binary Binary |
Event ID 3221225489: The Kerberos SSPI package failed to locate the forest or domain Forest to search.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}
Defined in kerberos.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, sample captured from a live trace, binary version 10.0.20348.2849, captured 2026-06-02
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4202, captured 2026-06-02