You may be using a Web browser that does not support standards for accessibility and user interaction. Find out why you should upgrade your browser for a better experience of this and other standards-based sites...

Dartmouth Home  Search  Index

Dartmouth Home | Search | Index

 Dartmouth home page
Computing at Dartmouth
 

Home | Resources | Services | Support | About
Computing > Support >  Library >  Safe Computing > Defenses > Authentication > Kerberos > Using > Windows >  

Kerberos Error Messages on Windows

< Previous

Even if Kerberos is correctly configured, it is still possible to get error messages when trying to access Kerberos-controlled network services. Information about some of the standard Kerberos error codes is provided below.

Kerberos error 8: Principal unknown

A file called KVIEW.INI (usually located in the WINDOWS directory) contains a list of Kerberos realms that have DND servers associated with them. When a user logs into one of these realms, they can enter their DND nickname instead of their literal Kerberos ID. In fact, sometimes even complete DND names do not work because they contain a dot, which is not allowed in a literal Kerberos ID.

If you get the Kerberos Error 8: Principal unknown error, your DND Lookup is not being processed correctly. This usually means the KVIEW.INI file is missing or corrupted. Toss out the existing KVIEW.INI file (if present) and re-install the software to get a new one. For installation instructions, see Downloading and Installing Kerberos on Windows XP Professional, Vista Enterprise, and Vista Ultimate.

Kerberos error 37: Time is out of bounds error

If the clock on your computer is out of sync with the Kerberos server clock, you may get this error message.

To fix the problem, make sure the Synchronize time with Kerberos server option is checked in the SideCar Options dialog box. Right-click on the Padlock icon in your System Tray and select Options in the window that appears. Check the Synchronize option.

You can use the Synchronize Clock option in the SideCar menu, but that will only change the clock once. We recommend checking the setting in the Options dialog box so your computer's clock is always synchronized.

Kerberos error 37: Time is out of bounds error AND you are not in the east coast time zone

Verify that your clock is set to the correct time zone:

  1. Open the Control Panel, then the Date/Time option. Select the Time Zone tab.
  2. Verify that the Time Zone is set to the appropriate time zone.
  3. Ensure the box next to Automatically Adjust for Daylight Saving Time Changes is checked.
  4. Reboot your computer. (This step is essential!)
  5. After rebooting, follow the instructions  above to turn on the synchronize clock setting.

Kerberos error 56: Retry count exceeded (send_to_kdc)

This error message may appear if you are behind a proxy server. You cannot use Kerberos authentication if your Internet Service Provider (ISP) is using a proxy server. If you must use a Kerberos-restricted resource, dial directly into the Dartmouth modem pool or rely on a VPN connection. See, VPN Client for Windows XP and Vista.

Kerberos error 57: Can't send request (send_to_kdc)

This error message appears if your computer doesn't have the appropriate SERVICES file. The SERVICES file should be located in the C:\WINDOWS\system32\drivers\etc folder.

First, check to see if you have a SERVICES file in the appropriate directory. If you do and you are receiving Kerberos error 57, then add the following line to your SERVICES file by using a text editor (such as Notepad):

kerberos     913/udp    kdc    #Kerberos authentication--udp

When you save the file, make sure the file is called SERVICES (be careful; some text editors automatically add a .TXT extension to any edited files).

Reboot your computer and verify the software installation on Testing the Kerberos Software Installation.

This error can also occur due to a conflict with MSN Messenger. If making the above changes doesn't solve the problem, and you have Messenger installed, we recommend uninstalling Messenger and SideCar from your computer, restarting, then reinstalling Kerberos and SideCar.

Kerberos error 62: Password incorrect

If you are entering the correct BlitzMail password, but are still receiving the "Password incorrect" error, change your BlitzMail password. The reason for this is arcane and fairly technical. To put it simply, BlitzMail uses an authentication process that may allow you to sign on if the password you type in is "one letter off" from your real password (for example, substituting an "m" for an "n"). Therefore, you may be able to sign on to BlitzMail, but not other authenticated services.

If you are unable to change your password, please contact the IT Service Desk (Help Desk) at 646-2999 and select from the options provided, send electronic mail to help@dartmouth.edu, or call your department's IT support office.

Kerberos error 70: Generic error (get_intkt)

Kerberos error 70 is usually caused by the Kerberos library on the computer not being able to store its tickets. The tickets are stored in a file called TICKET.KRB; a series of steps is executed to determine which directory to use.

  1. If the environment variable KRBTKFILE is set, it assumes that this is the path to the TICKET.KRB file.
  2. If any of the environment variables (TMP, TEMP, or HOME) are defined, then it will use its value as the directory name for the TICKET.KRB file. If these directories exist, "C:\WINDOWS" or "C:\TEMP" are possibilities.
  3. If none of these environment variables are defined, it will use "C:\TMP\TICKET.KRB".

Kerberos error 79 or error 81

If your DND name is longer than 38 characters, you will receive error 79 or error 81 from Kerberos. There is a limit to the length of your DND name in the Kerberos software. If your full DND name is longer than 38 characters, please contact the IT Service Desk (Help Desk) at 646-2999 and select from the options provided, send electronic mail to help@dartmouth.edu, or call your department's IT support office. Your DND name will need to be shortened.

Error code: -6005

The full error message reads, "Could not look up your name in the DND because of an error -6005." Make sure you are entering your DND name and password correctly in the appropriate fields, and that you have selected the correct realm.

Error code: -20001

If your desktop clock is out of sync with the Kerberos server clock, you may receive this error. To fix the problem, follow the instructions for Kerberos error 37: Time is out of bounds error, above.

Error code: -22000

This error usually means you are using a proxy server. Some Internet Service Providers (ISPs) and corporations use proxy servers for security reasons. You will not be able to use Kerberos if you are using a proxy server. If you must use Kerberos-restricted resources, dial directly into the Dartmouth modem pool or rely on a VPN connection. For more information, see the VPN Client for Windows XP and Vista Web page.

Note: If you do not already have the VPN Client software installed on your computer, you will not be able to download the installation software unless Kerberos is working properly. If you find yourself in this situation, please contact the IT Service Desk (Help Desk) at 646-2999 and select from the options provided, send electronic mail to help@dartmouth.edu, or call your department's IT support office.

 

< Previous

09/04/08

Last Updated: 9/12/08