Description
SEC_E_INTERNAL_ERROR (hex code 0x80090304, decimal -2146893052) is a Windows error-level error code in the Active Directory & Kerberos family. Microsoft surfaces this code through the Win32 API, the Common Language Runtime, the kernel, the event log, PowerShell, command-line tools (sfc, dism, gpupdate, sc), and Windows-side applications such as Outlook, Teams, Office, and System Center.
The Local Security Authority cannot be contacted.
This page documents what triggers 0x80090304, the most common scenarios where it appears, the likely root causes, and a step-by-step troubleshooting workflow you can run against affected endpoints. It is intended for system administrators, MSP technicians, helpdesk engineers, and anyone diagnosing Windows behavior in a managed environment.
In-depth explanation
This is an error-severity code. Windows uses it to signal a failed operation that prevented the caller from completing its work. The underlying cause can range from a permissions or quota issue to a corrupted system component, missing dependency, or unreachable service.
It is part of the Active Directory / Kerberos / SSPI error space. These codes typically surface in the Security event log, on the client side via Outlook, RDP, file shares, or SQL Server, and on the domain controller side in Netlogon.log and kerberos traces.
The code can be looked up programmatically in PowerShell with [ComponentModel.Win32Exception]::new(-2146893052).Message (for Win32 / NTSTATUS codes that map cleanly), or with net helpmsg <decimal> for the legacy decimal range. For HRESULT-style codes, decode the facility and code with err.exe from the SDK or via the WinDbg !error command.
Common causes
- Time skew between client and DC greater than 5 minutes (Kerberos hard limit).
- Missing or duplicate Service Principal Name (SPN) on the target service account.
- Computer account password out of sync with AD — rejoin the domain or run
nltest /sc_reset. - DNS resolution failing for the DC — verify
_kerberos._tcp.<domain>SRV records. - Trusted root or intermediate CA missing on the client (smartcard / PKINIT scenarios).
Troubleshooting steps
- Verify time sync with
w32tm /query /status— both client and DC must be within 5 minutes of each other. - Check SPNs:
setspn -L <account>on the service account, andsetspn -Xacross the forest to detect duplicates. - Re-establish the secure channel from an affected member:
nltest /sc_verify:<domain>, thennltest /sc_reset:<domain>if needed. - Validate DNS: from the client,
nslookup -type=SRV _kerberos._tcp.<domain>must return reachable DCs. - Capture a network trace with
netsh traceor Wireshark filtered onkerberosto see the exact AS/TGS error code.
Decode in PowerShell
# Decode 0x80090304 (-2146893052) in PowerShell
[ComponentModel.Win32Exception]::new(-2146893052).Message
# Or via WinDbg / err.exe (Windows SDK)
# err 0x80090304
# Or net helpmsg (legacy decimal range only)
# net helpmsg <decimal>Frequently asked questions
What does the Windows error code 0x80090304 mean?
SEC_E_INTERNAL_ERROR (decimal -2146893052). The Local Security Authority cannot be contacted.How do I decode 0x80090304 in PowerShell?
[ComponentModel.Win32Exception]::new(-2146893052).Message in any PowerShell session. For HRESULT-style codes, use err.exe from the Windows SDK or the WinDbg !error command.Where does Windows typically log this error?
%WinDir%\WindowsUpdate.log; AD/Kerberos → Security event log on the DC; BSOD → minidump under C:\Windows\Minidump; MSI → %TEMP%\msi*.log; WMI → Microsoft-Windows-WMI-Activity). Always cross-reference the timestamp and module name with the Application and System event logs.Is this code recoverable?
Should I open a Microsoft support case for this?
Get-WinEvent export ready before opening the case.