Converting Windows Failure Codes to Text (for reports mainly)

Document created by MarkR on Jun 15, 2010Last modified by MarkR on Jun 16, 2010
Version 2Show Document
  • View in full screen mode

ArcSight generally throws the code associated with Windows login events in the deviceCustomString4 field. I find a good bit of value in seeing those codes in various reports (failed login due to bad user name vs good user name, bad password vs user name account is locked out). We just created a series of reports that went outside the normal group so I created a list that mapped the codes to "English." Was really happy with the results. The mapping comes from Ultimate Windows Security though you could probably find the data directly from a MS site as well. You could also probably get all fancy and create a map file on the connector itself...or 3 or 4 other ways to get to the same results. This is just the way I did it. Scroll below the screenshots to find the list of codes.


Create an active list with two string columns making sure to index the column that will hold the code. The codes are all set to lower case so for a report query you will need 2 variables. The first is one to pull the data from CS4 and set it to lower case. The second is to get a value from an active list. Point it to the AL you just created for this and map the indexed field from the AL to the variable you created to push the CS4 data to lower case. Then in your field set for the report go to the variable section and select the unindexed string field that contains the failure code text.







0x1,Client's entry in database has expired
0x10,KDC has no support for padata type
0x11,KDC has no support for transited type
0x12,Account disabled, expired, locked out, logon hours
0x13,Credentials for server have been revoked
0x14,TGT has been revoked
0x15,Client not yet valid - try again later
0x16,Server not yet valid - try again later
0x17,User's Password has expired
0x18,Pre-authentication information was invalid (Usually bad password)
0x19,Additional pre-authentication required
0x1f,Integrity check on decrypted field failed
0x2,Server's entry in database has expired
0x20,Ticket expired (Frequently logged by computer accounts)
0x21,Ticket not yet valid
0x22,Request is a replay
0x23,The ticket isn't for us
0x24,Ticket and authenticator don't match
0x25,Clock skew too great (workstation clock out of sync with DCs)
0x26,Incorrect net address
0x27,Protocol version mismatch
0x28,Invalid msg type
0x29,Message stream modified
0x2a,Message out of order
0x2c,Specified version of key is not available
0x2d,Service key not available
0x2e,Mutual authentication failed
0x2f,Incorrect message direction
0x3,Requested protocol version # not supported
0x30,Alternative authentication method required*
0x31,Incorrect sequence number in message
0x32,Inappropriate type of checksum in message
0x3c,Generic error (description in e-text)
0x3d,Field is too long for this implementation
0x4,Client's key encrypted in old master key
0x5,Server's key encrypted in old master key
0x6,Client not found in Kerberos database
0x7,Server not found in Kerberos database
0x8,Multiple principal entries in database
0x9,The client or server has a null key
0xa,Ticket not eligible for postdating
0xb,Requested start time is later than end time
0xc,KDC policy rejects request (Workstation restriction)
0xc0000064,User name does not exist
0xc000006a,User name is correct but the password is wrong
0xc000006f,User tried to logon outside his day of week or time of day restrictions
0xc0000070,Workstation restriction
0xc0000071,Expired password
0xc0000072,Account is currently disabled
0xc0000193,Account expiration
0xc0000224,User is required to change password at next logon
0xc0000225,Evidently a bug in Windows and not a risk
0xc0000234,User is currently locked out
0xd,KDC cannot accommodate requested option
0xe,KDC has no support for encryption type
0xf,KDC has no support for checksum type

This document was generated from the following thread: Text for Windows Failure Codes