Description
SEC_E_DOWNGRADE_DETECTED (hex code 0x80090327, decimal -2146893017) is a Windows critical-level error code in the Active Directory & Kerberos family. Microsoft surfaces this code through the Win32 API, the Common Language Runtime, the kernel, the event log, PowerShell, command-line tools (sfc, dism, gpupdate, sc), and Windows-side applications such as Outlook, Teams, Office, and System Center.
The system detected a possible attempt to compromise security. Kerberos downgrade attack detected.
This page documents what triggers 0x80090327, the most common scenarios where it appears, the likely root causes, and a step-by-step troubleshooting workflow you can run against affected endpoints. It is intended for system administrators, MSP technicians, helpdesk engineers, and anyone diagnosing Windows behavior in a managed environment.
In-depth explanation
This is a critical-severity Windows error. It typically indicates a kernel-mode failure, an unrecoverable security violation, hardware failure, or a fatal driver bug. Treat any occurrence as a P1 incident: isolate the host, capture a memory dump if available, and pull the latest minidump from C:\Windows\Minidump for analysis.
It is part of the Active Directory / Kerberos / SSPI error space. These codes typically surface in the Security event log, on the client side via Outlook, RDP, file shares, or SQL Server, and on the domain controller side in Netlogon.log and kerberos traces.
The code can be looked up programmatically in PowerShell with [ComponentModel.Win32Exception]::new(-2146893017).Message (for Win32 / NTSTATUS codes that map cleanly), or with net helpmsg <decimal> for the legacy decimal range. For HRESULT-style codes, decode the facility and code with err.exe from the SDK or via the WinDbg !error command.
Common causes
- Time skew between client and DC greater than 5 minutes (Kerberos hard limit).
- Missing or duplicate Service Principal Name (SPN) on the target service account.
- Computer account password out of sync with AD — rejoin the domain or run
nltest /sc_reset. - DNS resolution failing for the DC — verify
_kerberos._tcp.<domain>SRV records. - Trusted root or intermediate CA missing on the client (smartcard / PKINIT scenarios).
Troubleshooting steps
- Verify time sync with
w32tm /query /status— both client and DC must be within 5 minutes of each other. - Check SPNs:
setspn -L <account>on the service account, andsetspn -Xacross the forest to detect duplicates. - Re-establish the secure channel from an affected member:
nltest /sc_verify:<domain>, thennltest /sc_reset:<domain>if needed. - Validate DNS: from the client,
nslookup -type=SRV _kerberos._tcp.<domain>must return reachable DCs. - Capture a network trace with
netsh traceor Wireshark filtered onkerberosto see the exact AS/TGS error code.
Decode in PowerShell
# Decode 0x80090327 (-2146893017) in PowerShell
[ComponentModel.Win32Exception]::new(-2146893017).Message
# Or via WinDbg / err.exe (Windows SDK)
# err 0x80090327
# Or net helpmsg (legacy decimal range only)
# net helpmsg <decimal>Frequently asked questions
What does the Windows error code 0x80090327 mean?
SEC_E_DOWNGRADE_DETECTED (decimal -2146893017). The system detected a possible attempt to compromise security. Kerberos downgrade attack detected.How do I decode 0x80090327 in PowerShell?
[ComponentModel.Win32Exception]::new(-2146893017).Message in any PowerShell session. For HRESULT-style codes, use err.exe from the Windows SDK or the WinDbg !error command.Where does Windows typically log this error?
%WinDir%\WindowsUpdate.log; AD/Kerberos → Security event log on the DC; BSOD → minidump under C:\Windows\Minidump; MSI → %TEMP%\msi*.log; WMI → Microsoft-Windows-WMI-Activity). Always cross-reference the timestamp and module name with the Application and System event logs.Is this code recoverable?
Should I open a Microsoft support case for this?
Get-WinEvent export ready before opening the case.