5 Replies Latest reply on Mar 9, 2018 7:52 PM by vkaufmann

    Kerberos Error


      Hi Community,


      continuously we are getting this logs in AF Server, could anyone please advise me, whether we need to take any action on this or we can ignore this.

        • Re: Kerberos Error

          Hi Ashwin,


          Could you please check the service account you configured for AF service and AF message logs for the same?

            • Re: Kerberos Error

              Babu, thanks for your reply


              AF service running using same service account (service_PI_af) which i was highlighted in my earlier email. we just receiving this error in windows systems logs.

              if we clearly notice for every sec i am getting repeative error.


              For example

              00:00:01 if i am getting Error Code: 0x44 KDC_ERR_WRONG_REALM

              00:00:01 then immediately i am getting another error log with Error Code:"0x19 KDC_ERR_PREAUTH_REQUIRED"

              after 3 seconds again i am getting 0x44 KDC_ERR_WRONG_REALM.

              so, this is what happening continuously.


              please advise me here.


              Thank you


                • Re: Kerberos Error

                  Hi Ashwin,


                  Looks like your service account has an issue with domain authentication. Could you please ask your windows/wintel team to check the user id in the domain and check service account is added to correct domain. If Active directory authentication is failed then you have an impact on AF security with windows logon.

              • Re: Kerberos Error

                Actually, this error can be ignored "0x19 KDC_ERR_PREAUTH_REQUIRED". This error is only logged when kerberos logging is enabled. These messages are a normal part of the Kerberos authentication process and do not indicate a problem. Per Microsoft's documentation, it is recommended to turn off Kerberos event logging when not troubleshooting Kerberos.


                You can take a look at this post for more info.


                The KDC (Key Distribution Center) requires all accounts to use pre-authentication. However, pre-authentication can be disabled for individual accounts when necessary for compatibility with other implementations of the protocol.

                How to disable pre-authentication?

                If the box “Do not require Kerberos pre-authentication” was checked on the user account properties then we would never see the error “KDC_ERR_PREAUTH_REQUIRED” message in a trace.




                This error may occur when a client requests a TGT from a domain controller for a domain to which the client does not belong. This error refers the client to the correct domain and does not indicate a problem. You can read more about it here.

                4 of 4 people found this helpful