Event id 4769 - A Kerberos service ticket was requested
Json log sample
{
"EventTime": "2017/11/17 04:04:12"
"Hostname": "MPWXDC.changeme.local"
"Keywords": -9214364837600034816
"EventType": "AUDIT_SUCCESS"
"SeverityValue": 2
"Severity": "INFO"
"EventID": 4769
"SourceName": "Microsoft-Windows-Security-Auditing"
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
"Version": 0
"Task": 14337
"OpcodeValue": 0
"RecordNumber": 614391031
"ProcessID": 824
"ThreadID": 25536
"Channel": "Security"
"Message": "A Kerberos service ticket was requested."
"Category": "Kerberos Service Ticket Operations"
"Opcode": "Info"
"TargetUserName": "Ann Marchant@changeme.LOCAL"
"TargetDomainName": "changeme.LOCAL"
"ServiceName": "MPWX04"
"ServiceSid": "S-1-5-21-343361891-1219768270-4058147650-3809"
"TicketOptions": "0x40810000"
"TicketEncryptionType": "0x12"
"IpAddress": "::ffff:172.16.0.97"
"IpPort": "61235"
"Status": "0x0"
"LogonGuid": "{CCD4CD7D-0391-9A75-1ACD-E8707F826A29}"
"TransmittedServices": "-"
"EventReceivedTime": "2017/11/17 04:04:12"
"SourceModuleName": "wineventlog_in"
"SourceModuleType": "im_msvistalog"
}
This event ID is logged both for successful and failed service ticket requests. In case of failure event various status code are generated as shown below. Event ID 4768 tracks initial logons through the granting of TGTs whereas 4769 monitors granting of service tickets. Service tickets are obtained whenever a user or computer accesses a server on the network.
Note: Windows logs other instances of event ID 4768 when a computer in the domain needs to authenticate to the DC typically when a workstation boots up or a server restarts. In these instances, you'll find a computer name in the User Name and fields. Computer generated kerberos events are always identifiable by the $ after the computer account's name.
Target User Information:
"TargetUserSid" -> SID of an account
"TargetUserName" -> user who logged in
"TargetDomainName" -> domain name of user
This provides an information about the user who was just granted an authentication.
Status:
| status | reason | description | |
| 0x0 | No error | ||
| 0x1 | Client's entry in database has expired | ||
| 0x2 | Server's entry in database has expired | ||
| 0x3 | Requested protocol version # not supported | ||
| 0x4 | Client's key encrypted in old master key | ||
| 0x5 | Server's key encrypted in old master key | ||
| 0x6 | Client not found in Kerberos database | Bad user name, or new computer/user account has not replicated to DC yet | |
| 0x7 | Server not found in Kerberos database | New computer account has not replicated yet or computer is pre-w2k | |
| 0x8 | Multiple principal entries in database | ||
| 0x9 | The client or server has a null key | administrator should reset the password on the account | |
| 0xA | Ticket not eligible for postdating | ||
| 0xB | Requested start time is later than end time | ||
| 0xC | KDC policy rejects request | Workstation restriction | |
| 0xD | KDC cannot accommodate requested option | ||
| 0xE | KDC has no support for encryption type | ||
| 0xF | KDC has no support for checksum type | ||
| 0x10 | KDC has no support for padata type | ||
| 0x11 | KDC has no support for transited type | ||
| 0x12 | Clients credentials have been revoked | Account disabled, expired, locked out, logon hours. | |
| 0x13 | Credentials for server have been revoked | ||
| 0x14 | TGT has been revoked | ||
| 0x15 | Client not yet valid - try again later | ||
| 0x16 | Server not yet valid - try again later | ||
| 0x17 | Password has expired | The user's password has expired. | |
| 0x18 | Pre-authentication information was invalid | Usually means bad password | |
| 0x19 | Additional pre-authentication required* | ||
| 0x1F | Integrity check on decrypted field failed | ||
| 0x20 | Ticket expired | Frequently logged by computer accounts | |
| 0x21 | Ticket not yet valid | ||
| 0x21 | Ticket not yet valid | ||
| 0x22 | Request is a replay | ||
| 0x23 | The ticket isn't for us | ||
| 0x24 | Ticket and authenticator don't match | ||
| 0x25 | Clock skew too great | Workstations clock too far out of sync with the DCs | |
| 0x26 | Incorrect net address | IP address change? | |
| 0x27 | Protocol version mismatch | ||
| 0x28 | Invalid msg type | ||
| 0x29 | Message stream modified | ||
| 0x2A | Message out of order | ||
| 0x2C | Specified version of key is not available | ||
| 0x2D | Service key not available | ||
| 0x2E | Mutual authentication failed | may be a memory allocation failure | |
| 0x2F | Incorrect message direction | ||
| 0x30 | Alternative authentication method required* | ||
| 0x31 | Incorrect sequence number in message | ||
| 0x32 | Inappropriate type of checksum in message | ||
| 0x3C | Generic error (description in e-text) | ||
| 0x3D | Field is too long for this implementation |
Network Information:
"IpAddress" -> IP address of the computer where the user is physically present
"IpPort" -> source TCP port of the logon request
"WorkstationName" -> the computer name of the computer where the user is physically present. Workstation may be blank in some Kerberos logons.
No comments:
Post a Comment