557 KDC Unreachable
The HTTP 557 KDC Unreachable status code is an unofficial server error specific to Akamai Enterprise Application Access (EAA). The EAA connector returns this code when the Kerberos Key Distribution Center (KDC) is unreachable, preventing the connector from obtaining a service ticket for the backend application.
Usage
Akamai EAA supports Kerberos constrained delegation for single sign-on to backend applications. The connector acts as a Kerberos client, requesting service tickets from the KDC (typically a domain controller running Active Directory) on behalf of authenticated users.
The 557 error appears when the connector is unable to reach any KDC in the configured Kerberos realm. The connector needs the KDC to exchange the user's ticket-granting ticket (TGT) for a service ticket targeting the backend application. Without KDC connectivity, the Kerberos Authentication flow stops and the request fails.
Common causes include:
- Network connectivity issues between the EAA connector and the domain controller.
- All domain controllers in the realm are offline or unresponsive.
- Firewall rules blocking Kerberos traffic on port 88 (TCP/UDP) between the connector and the KDC.
- DNS resolution failures preventing the connector from locating the KDC through SRV records.
SEO impact
Search engines treat 557 responses as server errors. Persistent errors cause crawlers to reduce crawl frequency and eventually drop affected URLs from the index.
Example
A client requests a Kerberized application through Akamai EAA. The connector attempts to contact the KDC for a service ticket but fails because the KDC is unreachable.
Request
GET /intranet/files HTTP/1.1
Host: app.example.re
Accept: text/html
Response
HTTP/1.1 557 KDC Unreachable
Date: Mon, 02 Mar 2026 14:30:00 GMT
Content-Type: text/html
<html>
<head><title>557 Error</title></head>
<body>
<h1>KDC Unreachable</h1>
<p>Key Distribution Center is unreachable</p>
</body>
</html>
How to fix
Verify at least one KDC is operational in the data
center where the EAA connector runs. Check the domain
controller status using Active Directory tools or by
running nltest /dsgetdc:<domain> from a machine in
the same network segment.
Confirm the connector has network access to the KDC on port 88 (TCP and UDP). Test connectivity from the connector host:
telnet <kdc-hostname> 88
Check DNS resolution for the Kerberos realm. The
connector relies on DNS SRV records
(_kerberos._tcp.<realm>) to locate KDCs. Run
nslookup -type=SRV _kerberos._tcp.<realm> to
verify the records resolve correctly.
Review firewall rules between the connector subnet and the domain controller subnet. Kerberos requires port 88 (TCP/UDP), and LDAP queries to the domain controller use port 389 (TCP/UDP) or 636 (LDAPS).
If the environment has multiple KDCs, verify at least one is reachable. A single unreachable KDC does not cause a 557 as long as another KDC in the realm responds. The error indicates all configured KDCs are down or blocked.
Check for clock skew between the connector and the KDC. Kerberos requires clocks synchronized within five minutes. Excessive clock drift causes ticket validation failures presenting as connectivity errors.
Takeaway
The 557 KDC Unreachable status code is an Akamai EAA error indicating the connector is unable to contact any Kerberos Key Distribution Center. Restoring network access between the connector and at least one domain controller in the Kerberos realm resolves the issue.
See also
- Akamai EAA Application Response Codes
- Google: HTTP status codes and network errors
- Kerberos Constrained Delegation in EAA
- 555
- Authentication
- HTTP status codes