SSPI Status Codes
The following status codes are used in SSPI applications and defined in Winerror.h.
| Status code | Meaning |
|---|---|
| SEC_E_ALGORITHM_MISMATCH |
The client and server cannot communicate because they do not possess a common algorithm. |
| SEC_E_BAD_BINDINGS |
The SSPI channel bindings supplied by the client are incorrect. |
| SEC_E_BAD_PKGID |
The requested package identifier does not exist. |
| SEC_E_BUFFER_TOO_SMALL |
The buffers supplied to the function are not large enough to contain the information. |
| SEC_E_CANNOT_INSTALL |
The security package cannot initialize successfully and should not be installed. |
| SEC_E_CANNOT_PACK |
The package is unable to pack the context. |
| SEC_E_CERT_EXPIRED |
The received certificate has expired. |
| SEC_E_CERT_UNKNOWN |
An unknown error occurred while processing the certificate. |
| SEC_E_CERT_WRONG_USAGE |
The certificate is not valid for the requested usage. |
| SEC_E_CONTEXT_EXPIRED |
The application is referencing a context that has already been closed. A properly written application should not receive this error. |
| SEC_E_CROSSREALM_DELEGATION_FAILURE |
The server attempted to make a Kerberos-constrained delegation request for a target outside the server's realm. |
| SEC_E_CRYPTO_SYSTEM_INVALID |
The cryptographic system or checksum function is not valid because a required function is unavailable. |
| SEC_E_DECRYPT_FAILURE |
The specified data could not be decrypted. |
| SEC_E_DELEGATION_REQUIRED |
The requested operation cannot be completed. The computer must be trusted for delegation, and the current user account must be configured to allow delegation. |
| SEC_E_DOWNGRADE_DETECTED |
The system detected a possible attempt to compromise security. Verify that the server that authenticated you can be contacted. NOTE: This error can be generated simply due to lack of connectivity to a domain controller and may not be indicative of malicious activity. |
| SEC_E_ENCRYPT_FAILURE |
The specified data could not be encrypted. |
| SEC_E_ILLEGAL_MESSAGE |
The message received was unexpected or badly formatted. |
| SEC_E_INCOMPLETE_CREDENTIALS |
The credentials supplied were not complete and could not be verified. The context could not be initialized. |
| SEC_E_INCOMPLETE_MESSAGE |
The message supplied was incomplete. The signature was not verified. |
| SEC_E_INSUFFICIENT_MEMORY |
Not enough memory is available to complete the request. |
| SEC_E_INTERNAL_ERROR |
An error occurred that did not map to an SSPI error code. |
| SEC_E_INVALID_HANDLE |
The handle passed to the function is not valid. |
| SEC_E_INVALID_TOKEN |
The token passed to the function is not valid. |
| SEC_E_ISSUING_CA_UNTRUSTED |
An untrusted certification authority (CA) was detected while processing the smart card certificate used for authentication. |
| SEC_E_ISSUING_CA_UNTRUSTED_KDC |
An untrusted CA was detected while processing the domain controller certificate used for authentication. The system event log contains additional information. |
| SEC_E_KDC_CERT_EXPIRED |
The domain controller certificate used for smart card logon has expired. |
| SEC_E_KDC_CERT_REVOKED |
The domain controller certificate used for smart card logon has been revoked. |
| SEC_E_KDC_INVALID_REQUEST |
A request that is not valid was sent to the KDC. |
| SEC_E_KDC_UNABLE_TO_REFER |
The KDC was unable to generate a referral for the service requested. |
| SEC_E_KDC_UNKNOWN_ETYPE |
The requested encryption type is not supported by the KDC. |
| SEC_E_LOGON_DENIED |
This status code is obsolete. |
| SEC_E_MAX_REFERRALS_EXCEEDED |
The number of maximum ticket referrals has been exceeded. |
| SEC_E_MESSAGE_ALTERED |
The message supplied for verification has been altered. |
| SEC_E_MULTIPLE_ACCOUNTS |
The received certificate was mapped to multiple accounts. |
| SEC_E_MUST_BE_KDC |
The local computer must be a Kerberos domain controller (KDC), but it is not. |
| SEC_E_NO_AUTHENTICATING_AUTHORITY |
No authority could be contacted for authentication. |
| SEC_E_NO_CREDENTIALS |
No credentials are available. |
| SEC_E_NO_IMPERSONATION |
No impersonation is allowed for this context. |
| SEC_E_NO_IP_ADDRESSES |
Unable to accomplish the requested task because the local computer does not have any IP addresses. |
| SEC_E_NO_KERB_KEY |
No Kerberos key was found. |
| SEC_E_NO_PA_DATA |
Policy administrator (PA) data is needed to determine the encryption type, but cannot be found. |
| SEC_E_NO_S4U_PROT_SUPPORT |
The Kerberos subsystem encountered an error. A service for user protocol request was made against a domain controller which does not support service for a user. |
| SEC_E_NO_TGT_REPLY |
The client is trying to negotiate a context and the server requires a user-to-user connection, but did not send a TGT reply. |
| SEC_E_NOT_OWNER |
The caller of the function does not own the credentials. |
| SEC_E_NOT_SUPPORTED |
The request is not supported. |
| SEC_E_OK |
The operation completed successfully. |
| SEC_E_OUT_OF_SEQUENCE |
The message supplied for verification is out of sequence. |
| SEC_E_PKINIT_CLIENT_FAILURE |
The smart card certificate used for authentication is not trusted. |
| SEC_E_PKINIT_NAME_MISMATCH |
The client certificate does not contain a valid UPN or does not match the client name in the logon request. |
| SEC_E_QOP_NOT_SUPPORTED |
The quality of protection attribute is not supported by this package. |
| SEC_E_REVOCATION_OFFLINE_C |
The revocation status of the smart card certificate used for authentication could not be determined. |
| SEC_E_REVOCATION_OFFLINE_KDC |
The revocation status of the domain controller certificate used for smart card authentication could not be determined. The system event log contains additional information. |
| SEC_E_SECPKG_NOT_FOUND |
The security package was not recognized. |
| SEC_E_SECURITY_QOS_FAILED |
The security context could not be established due to a failure in the requested quality of service (for example, mutual authentication or delegation). |
| SEC_E_SHUTDOWN_IN_PROGRESS |
A system shutdown is in progress. |
| SEC_E_SMARTCARD_CERT_EXPIRED |
The smart card certificate used for authentication has expired. |
| SEC_E_SMARTCARD_CERT_REVOKED |
The smart card certificate used for authentication has been revoked. Additional information may exist in the event log. |
| SEC_E_SMARTCARD_LOGON_REQUIRED |
Smart card logon is required and was not used. |
| SEC_E_STRONG_CRYPTO_NOT_SUPPORTED |
The other end of the security negotiation requires strong cryptography, but it is not supported on the local machine. |
| SEC_E_TARGET_UNKNOWN |
The target was not recognized. |
| SEC_E_TIME_SKEW |
The clocks on the client and server computers do not match. |
| SEC_E_TOO_MANY_PRINCIPALS |
The KDC reply contained more than one principal name. |
| SEC_E_UNFINISHED_CONTEXT_DELETED |
A security context was deleted before the context was completed. This is considered a logon failure. |
| SEC_E_UNKNOWN_CREDENTIALS |
The credentials provided were not recognized. |
| SEC_E_UNSUPPORTED_FUNCTION |
The requested function is not supported. |
| SEC_E_UNSUPPORTED_PREAUTH |
An unsupported preauthentication mechanism was presented to the Kerberos package. |
| SEC_E_UNTRUSTED_ROOT |
The certificate chain was issued by an authority that is not trusted. |
| SEC_E_WRONG_CREDENTIAL_HANDLE |
The supplied credential handle does not match the credential associated with the security context. |
| SEC_E_WRONG_PRINCIPAL |
The target principal name is incorrect. |
| SEC_I_COMPLETE_AND_CONTINUE |
The function completed successfully, but the application must call both CompleteAuthToken and then either InitializeSecurityContext (General) or AcceptSecurityContext (General) again to complete the context. |
| SEC_I_COMPLETE_NEEDED |
The function completed successfully, but you must call the CompleteAuthToken function on the final message. |
| SEC_I_CONTEXT_EXPIRED |
The message sender has finished using the connection and has initiated a shutdown. For information about initiating or recognizing a shutdown, see Shutting Down an Schannel Connection. |
| SEC_I_CONTINUE_NEEDED |
The function completed successfully, but you must call this function again to complete the context. |
| SEC_I_INCOMPLETE_CREDENTIALS |
The credentials supplied were not complete and could not be verified. Additional information can be returned from the context. |
| SEC_I_LOCAL_LOGON |
The logon was completed, but no network authority was available. The logon was made using locally known information. |
| SEC_I_NO_LSA_CONTEXT |
There is no LSA mode context associated with this context. |
| SEC_I_RENEGOTIATE |
The context data must be renegotiated with the peer. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for