Summary
This document describes many of the common errors that may occur due to a misconfiguration of a SQL Server Kerberos resource, along with the most likely causes of the error and possible resolution.
Common AD/KDC Errors
Problem | Error | Possible Remedy |
User not found in AD | failed to load service ticket: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (6) KDC_ERR_C_PRINCIPAL_UNKNOWN Client not found in Kerberos database | This error indicates that the provided user principal name does not exist according to the AD server. Verify that the username specified in the StrongDM resource configuration and keytab are correct and that that user exists in the AD domain |
User not found in keytab |
failed to load service ticket: [Root cause: Encrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: failed setting AS_REQ PAData for pre-authentication required < Encrypting_Error: error getting key from credentials: matching key not found in keytab. Looking for [example-vm-admin] realm: AD.EXAMPLE.COM kvno: 0 etype: 18c | This error indicates that the provided user principal name does not exist in the keytab. Verify that the username and realm specified in the StrongDM resource configuration and keytab are correct and match. |
Key value number mismatch between AD and keytab |
failed to load service ticket: [Root cause: Decrypting_Error] KRBMessage_Handling_Error: AS Exchange Error: AS_REP is not valid or client password/keytab incorrect < Decrypting_Error: error decrypting EncPart of AS_REP < Decrypting_Error: error decrypting AS_REP encrypted part: matching key not found in keytab. Looking for [example-vm-admin] realm: AD.EXAMPLE.COM kvno: 5 etype: 18 | This error indicates that the key value number in the keytab does not match the key value number in AD. The expected key value number is included in the error (in this example, kvno: 5) and can also be verified on the AD server using the tools described in earlier sections. Update or recreate the keytab with the expected key value number for this principal. |
Password is invalid |
failed to load service ticket: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (24) KDC_ERR_PREAUTH_FAILED Pre-authentication information was invalid |
This error may occur for other reasons, but typically indicates that the password used to populate the keytab is incorrect, and does not match the actual password in AD. Verify the password used to populate the keytab is correct using kinit or by logging into the AD server and update or regenerate the keytab if needed. Another common cause of this error is the realm name not being specified in upper case. This can be resolved by ensuring the realm is specified in upper case in all locations (the Realm field in the datasource as well as the krb5.conf and keytab). |
Password has expired |
failed to authenticate: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (23) KDC_ERR_KEY_EXPIRED Password has expired; change password to reset | This error indicates that the password of the user account has expired in Active Directory, or the account is required to change its password on the next login. Update the password in AD and regenerate the keytab with the new password. Changing the password in AD will also generally increment the key version number, so ensure that matches as well. |
Account is disabled |
failed to authenticate: [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (18) KDC_ERR_CLIENT_REVOKED Clients credentials have been revoked | This error indicates that the user account is disabled, locked, or expired in Active Directory. Review the state of the account in AD and unlock it, re-enable it, or reset its expiration date as needed. |
SPN is not registered in AD |
failed to load service ticket: [Root cause: KDC_Error] KDC_Error: TGS Exchange Error: kerberos error response from KDC when requesting for MSSQLSvc/dev.ad.example.comx:1433: KRB Error: (7) KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database | This error indicates that the provided Service Principal Name (SPN) was not found in AD. Verify that the SPN specified in the resource configuration is correct and use the commands noted above to verify that the SPN is registered in the AD domain for the account under which the SQL Server service is running. SQL Server should automatically register this SPN when it starts and deregister when it stops, so also verify that SQL Server is running. Automatic registration should almost always work but under rare circumstances (typically when the SQL Server service is running under a domain user account without privileges to register services) it may be necessary to manually register the SPN, as described here: Register a Service Principal Name for Kerberos connections |
Realm not found in krb5.conf |
failed precondition: failed to load service ticket: [Root cause: Networking_Error] Networking_Error: AS Exchange Error: failed sending AS_REQ to KDC: failed to communicate with KDC. Attempts made with UDP (no KDCs defined in configuration for realm AD.EXAMPLE.COM) and then TCP (no KDCs defined in configuration for realm AD.EXAMPLE.COM)" | This error indicates that the specified realm is not present in the krb5.conf. Verify that the realm specified in the StrongDM resource configuration is correct and matches one of the realms specified in the krb5.conf configuration file. |
KDC DNS lookup failed |
failed to load service ticket: [Root cause: Networking_Error] Networking_Error: AS Exchange Error: failed sending AS_REQ to KDC: failed to communicate with KDC. Attempts made with UDP (error sending to a KDC: error resolving KDC address: lookup ad2.example.com: no such host) and then TCP (error in getting a TCP connection to any of the KDCs)" | This error indicates that the KDC specified in the krb5.conf by hostname could not be resolved by DNS. Verify that the kdc hostnames specified for this realm in the krb5.conf are correct and that the relay can resolve those DNS names. In some circumstances such as if the relay does not have access to a DNS server that can resolve these names it may be necessary to specify the KDCs by IP address instead of hostname. |
KDC is unreachable |
failed to load service ticket: [Root cause: Networking_Error] Networking_Error: AS Exchange Error: failed sending AS_REQ to KDC: failed to communicate with KDC. Attempts made with UDP (error sending to a KDC: error sending to xxx.xxx.xxx.xxx:88: sending over UDP failed to xxx.xxx.xxx.xxx:88: read udp xxx.xxx.xxx.xxx:53491->xxx.xxx.xxx.xxx:88: i/o timeout) and then TCP (error in getting a TCP connection to any of the KDCs) | This error indicates that the StrongDM relay could not establish a network connection to the KDC. Verify that the hostname or IP address and port of the KDCs are correct in the krb5.conf and that the relay has outbound network connectivity to the KDC port (typically the default, 88) over TCP/IP or UDP and that any firewall configuration allows these connections. |
Incorrect realm for domain |
failed to load service ticket: [Root cause: KDC_Error] KDC_Error: TGS Exchange Error: kerberos error response from KDC when requesting for krbtgt/DEV.AD.EXAMPLE.COM: KRB Error: (7) KDC_ERR_S_PRINCIPAL_UNKNOWN Server not found in Kerberos database" | This error may indicate that the default realm specified in the krb5.conf configuration is incorrect or multiple realms are configured and the domain_realm mapping is incorrect. Verify the krb5.conf configuration is correct. |
Common SQL Server Errors
Problem | Error | Possible Remedy |
Incorrect or untrusted domain |
"security error found" message="Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication." class=14 | This error indicates that SQL Server does not trust the domain of the user connecting to the server, which may occur for several reasons. The Windows Security log on the system running SQL Server will typically contain a more specific failure reason/status code such as those documented here.
|
Untrusted login |
security error found" message="Login failed for user 'AD\\example-vm-test'." class=14 | This error may indicate that the user account specified for login has not been allowed access on the SQL Server. Verify that the username specified in the StrongDM resource configuration is correct and use SSMS to verify that there is a matching AD user (or group to which that user belongs) listed under Security > Logins with Windows Authentication as the authentication type, and that that user or group has been granted permission to connect. |
Database cannot be opened |
message="Cannot open database \"example-db\" that was requested by the login. Using the user default database \"master\" instead." | This error indicates that the specified database does not exist or the user does not have access to it. Verify the database and user specified in the StrongDM resource configuration are correct and the database exists on the SQL Server and allows access from the specified user. |
SQL Server DNS lookup failed |
cannot dial resource: cannot dial to destination: dial tcp4: lookup mssql.example.com: no such host (target: mssql.example.com:1433 timeout: 15s)" | This error indicates that the SQL Server hostname could not be resolved by DNS. Verify that the hostname specified in the StrongDM resource configuration is correct and that the relay can resolve the DNS name. In some circumstances such as if the relay does not have access to a DNS server that can resolve this name it may be necessary to specify the SQL Server by IP address instead of hostname. |
SQL Server is unreachable |
cannot dial to destination: dial tcp4 xxx.xxx.xxx.xxx:1433: i/o timeout (target: xxx.xxx.xxx.xxx:1433 timeout: 15s)" | This error indicates that the StrongDM relay could not establish a network connection to the SQL Server. Verify that the hostname or IP address and port of the SQL Server are correct in the krb5.conf and that the relay has outbound network connectivity to the SQL Server port (typically the default, 1433) over TCP/IP and that any firewall configuration allows these connections. |
Malformed Configuration Errors
Problem | Error | Possible Remedy |
Malformed krb5.conf |
failed to unmarshal krb5 conf file: error processing libdefaults section: invalid krb5 config libdefaults section line ([realms)" | Errors of this form indicate that the krb5.conf is malformed or truncated. Verify the krb5.conf configuration in the StrongDM resource is syntactically valid, testing it with kinit if desired and regenerating it if necessary. |
Malformed keytab |
failed to unmarshal keytab file: invalid keytab data. First byte does not equal 5 | Errors of this form indicate that the keytab is malformed or truncated. Verify that the keytab configuration in the StrongDM resource is correctly base64-encoded, testing it (after decoding) with kinit if desired and regenerating it if necessary. |