This error means that the KDC could not translate the server principal name from the KDC request into an account in the Active Directory. Generally speaking, verify whether the server account exists and has propagated to the domain controller that generated the error. Checking Active Directory replication may provide an indication of why the error occurred. Also if the server is not at least Windows 2000, there will not be any service principal names registered because that server is not capable of authenticating with Kerberos. In this case, this error can be ignored because the client will then switch to NTLM for authentication.
By default, Kerberos authentication uses UDP to transmit its data. UDP provides no guarantee that a packet sent along the network will reach its destination intact. Thus, in environments with a high amount of network congestion it is common for packets to get lost or fragmented on the way to their destination. UDP fragmentation might be causing the failure. See the article "Authentication using UDP causes errors" to resolve this problem.
Verify that the service is registered and has an SPN set. For more information about setting SPNs, see "Troubleshooting Kerberos Errors". If the SPN is set correctly and this error is not related to UDP fragmentation, then there might be an error while doing the referral. This can occur if the trust path leading to the server has been incorrectly configured. Verify that there is a valid trust path to the serverís domain and that this path can be followed. You can do this by attempting to logon as a user in the serverís domain in the client domain. If the logon is successful and occurs using the Kerberos protocol (this can be verified in the security log), then the trust path is set up correctly.
Additional information on this error can be found in the following articles: "Kerberos Authentication Tools and Settings", "Authentication for Administrative Authority", "Service logons fail due to incorrectly set SPNs", and Error code 0x6.
Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.
Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.