Documentation · Troubleshooting

Errors you might actually hit.

Organized by where in the flow the problem surfaces: sign-in, pre-flight, collection, timestamping, verification. Every error Krellix shows has a user-facing code you can search for on this page.

AADSTS90094 — Consent required

Microsoft is telling you admin consent hasn't been granted for one of the scopes Krellix is requesting. This is the most common first-sign-in error on Enterprise tenants with restrictive consent policies.

Fix: a tenant admin needs to approve admin consent. See the walkthrough. If the operator is not an admin themselves, forward them this page — the admin can grant consent from the Entra admin center in under a minute.

AADSTS50020 — User account not found in tenant

The sign-in succeeded against a personal Microsoft account (MSA), but you were trying to sign into a work tenant. This happens when a user's email address is also registered as a personal MSA.

Fix: on the sign-in screen, when Microsoft shows the “Personal account” vs “Work or school account” prompt, pick Work or school. If you don't see the prompt, try signing in from an InPrivate window to clear cached MSA state.

SmartScreen: “Windows protected your PC” on install

The Krellix installer is signed with a DigiCert EV certificate, so you should not see this. If you do, you may be running a pre-release build or an installer from an untrusted source.

Fix: verify the file's signature. Right-click the installer, choose Properties → Digital Signatures, and confirm the signer is “Cole Christopher Solutions LLC” with a valid DigiCert chain. If the signature is missing or invalid, re-download from the link in your trial email — don't install.

Pre-flight errors

403 on MailFolders pre-flight probe

You're authorized to sign in but not authorized to read the target mailbox. In Enterprise mode, this almost always means the Add-MailboxPermission step hasn't been done for this custodian, or was done but hasn't propagated yet.

Fix: have a tenant admin run the command in Enterprise setup. After the command succeeds, sign out of Krellix and sign back in to force a fresh access token. Token caches on the operator side can take up to 60 minutes to refresh otherwise.

404 on custodian lookup

The UPN you entered does not exist in this tenant. Common causes: typo, mailbox belongs to a different tenant, account was disabled/deleted, or you're signed in to the wrong tenant entirely.

Fix: open the Microsoft 365 admin center and confirm the custodian's UPN exactly as written. UPNs are often different from primary SMTP addresses — some organizations use first.last@tenant.onmicrosoft.com as the UPN even when mail routes to first.last@company.com.

403 on OneDrive or SharePoint probe

The operator is missing a role or site membership. Files.Read.All and Sites.Read.All are delegated scopes gated by the operator's Entra role and SharePoint site membership — the scope alone doesn't open access.

Fix: the simplest path is to add the operator to one of these Entra roles: Global Reader, Compliance Administrator, or eDiscovery Manager. Alternatively, the tenant admin can add the operator as a site member (Read permission is enough) on every SharePoint site the collection touches.

Collection errors

429 — Request throttled

Microsoft Graph rate-limited a call. Krellix handles this automatically: it honors the Retry-After header and resumes. You shouldn't need to intervene unless throttling persists for more than 10 minutes, in which case the tenant may have a reduced Graph quota.

Fix: wait it out. If throttling persists, run collections outside peak Exchange activity hours for your region (typically 0800–1100 local). Krellix writes the 429 events to 05_Logs/ so you can produce them if asked.

InvalidAuthenticationToken mid-collection

The access token expired and the refresh token didn't renew it — usually because the refresh token itself was revoked (sign-out on another device, admin revocation, Conditional Access policy change).

Fix: Krellix prompts you to re-sign-in. The collection resumes from the last successful message. No data is lost; the manifest records that the collection had a re-auth event in the middle.

Message could not be serialized

A specific message is corrupt in the source mailbox (usually very old messages with non-standard MIME encoding, or messages that Outlook's offline cache has partially synced). Krellix skips the message, logs it to 04_Reports/SkippedItems.csv, and continues.

Fix: review SkippedItems.csv after the collection. For each skipped message, try opening it in the source mailbox; usually the message is unrecoverable at the source too. The manifest discloses the count of skipped items so opposing counsel can't claim you hid something.

Timestamping errors

TSA request timed out

The first-choice Time Stamp Authority didn't respond within 30 seconds. Krellix automatically falls back to Sectigo, then GlobalSign. If all three fail, the collection is written to disk but not sealed — you'll see “Collection unsealed” in the summary screen.

Fix: check your internet connection. If the outbound network is healthy, the TSAs may all be having a bad day (rare). Click Retry timestamp — Krellix will try each TSA again, in order, without re-running the collection. When one succeeds, the export is sealed and the manifest updated.

TSA request rejected at network egress

Your firewall is blocking outbound HTTPS to the TSA endpoints. This is common in tightly-controlled corporate networks.

Fix: allow outbound HTTPS to timestamp.digicert.com, timestamp.sectigo.com, and timestamp.globalsign.com/tsa/r6advanced1. These are the default Krellix TSA endpoints; they're public, WebTrust-audited, and used by every major code-signing tool. Your IT team can allowlist them by hostname.

Verification errors

sha256sum reports FAILED on a file

One or more files in the export have been modified since collection, or the file is corrupt on disk.

Fix: do not ship the export. Re-run the collection. If the failure is on a file that appears corrupt on disk (common on USB drives with silent bit-rot), copy from a known-good backup. Do not try to re-hash and overwrite the manifest — that invalidates the TSA timestamp.

openssl ts -verify returns “message imprint mismatch”

The manifest hash in the .tsr doesn't match the current hash of ChainOfCustody.json. Something has modified the manifest since Krellix sealed it.

Fix: treat the collection as unsealed. If you have a backup of the export in its sealed state, restore it. Otherwise the collection's defensibility is compromised and you'll need to re-run.

unable to get local issuer certificate

The TSA.pem file is missing or truncated, or you're running the verify command from outside the 07_TimestampMaterials/ folder and OpenSSL can't find it.

Fix: run the command from inside 07_TimestampMaterials/ so relative paths resolve. If TSA.pem is missing or empty, the export was damaged — don't rely on it. Look for the original zipped export and re-extract.

Still stuck?

Email support@krellix.app with the error code and, if relevant, the tail of 05_Logs/. You'll hear back from the founder the same business day. No tier-one, no ticket system — direct email works.