The KRB_ERROR message consists of the following fields:
KRB-ERROR ::= [APPLICATION 30] SEQUENCE { pvno[0] INTEGER, msg-type[1] INTEGER, ctime[2] KerberosTime OPTIONAL, cusec[3] INTEGER OPTIONAL, stime[4] KerberosTime, susec[5] INTEGER, error-code[6] INTEGER, crealm[7] Realm OPTIONAL, cname[8] PrincipalName OPTIONAL, realm[9] Realm, -- Correct realm sname[10] PrincipalName, -- Correct name e-text[11] GeneralString OPTIONAL, e-data[12] OCTET STRING OPTIONAL }
These fields are described above in section 5.4.1. msg-type is KRB_ERROR.
This field is described above in section 5.4.1.
This field is described above in section 5.5.2.
This field contains the current time on the server. It is of type KerberosTime.
This field contains the microsecond part of the server's timestamp. Its value ranges from 0 to 999. It appears along with stime. The two fields are used in conjunction to specify a reasonably accurate timestamp.
This field contains the error code returned by Kerberos or the server when a request fails. To interpret the value of this field see the list of error codes in section 8. Implementations are encouraged to provide for national language support in the display of error messages.
These fields are described above in section 5.3.1.
This field contains additional text to help explain the error code associated with the failed request (for example, it might include a principal name which was unknown).
This field contains additional data about the error for use by the application to help it recover from or handle the error. If the errorcode is KDC_ERR_PREAUTH_REQUIRED, then the e-data field will contain an encoding of a sequence of padata fields, each corresponding to an acceptable pre- authentication method and optionally containing data for the method:
METHOD-DATA ::= SEQUENCE of PA-DATAIf the error-code is KRB_AP_ERR_METHOD, then the e-data field will contain an encoding of the following sequence:
METHOD-DATA ::= SEQUENCE { method-type[0] INTEGER, method-data[1] OCTET STRING OPTIONAL }
method-type will indicate the required alternate method; method-data will contain any required additional information.