D
debbasu
Guest
Hi All,
Can you please help me to find out the reason of following issue.
In our domain after enabling audit we found that huge numbers(around 50k) of Kerberos pre-authentication failed(4771) security failure events are generating in DCs. If any one can explain why this events are generating so frequently. However I found no account lockout has happened. One sample event is as follows.
"
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2019-08-05 09:40:05
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
Kerberos pre-authentication failed.
Account Information:
Security ID: domain\user
Account Name: user
Service Information:
Service Name: krbtgt/domain.com
Network Information:
Client Address: ::ffff:IP_address
Client Port: 57415
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
"
I can see that in few cases more than 100 events generated in 30 mins for one user. But no account lockout happened of that user because the failure code is 0x18.
I have checked that account lockout policy is also not satisfying for account unlocking. policy is as below.
Account Policies/Account Lockout Policy
Account lockout duration 0 minutes
Account lockout threshold 10 invalid logon attempts
Reset account lockout counter after 30 minutes
The reported users may use hand-held devices(certificate based) and can use multiple machines. I found the time difference between DC and End computers used by those affected users.
Please anyone can help me to investigate the root cause of huge numbers of logon failure/4771 events in our domain.
Continue reading...
Can you please help me to find out the reason of following issue.
In our domain after enabling audit we found that huge numbers(around 50k) of Kerberos pre-authentication failed(4771) security failure events are generating in DCs. If any one can explain why this events are generating so frequently. However I found no account lockout has happened. One sample event is as follows.
"
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2019-08-05 09:40:05
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DC.domain.com
Description:
Kerberos pre-authentication failed.
Account Information:
Security ID: domain\user
Account Name: user
Service Information:
Service Name: krbtgt/domain.com
Network Information:
Client Address: ::ffff:IP_address
Client Port: 57415
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
"
I can see that in few cases more than 100 events generated in 30 mins for one user. But no account lockout happened of that user because the failure code is 0x18.
I have checked that account lockout policy is also not satisfying for account unlocking. policy is as below.
Account Policies/Account Lockout Policy
Account lockout duration 0 minutes
Account lockout threshold 10 invalid logon attempts
Reset account lockout counter after 30 minutes
The reported users may use hand-held devices(certificate based) and can use multiple machines. I found the time difference between DC and End computers used by those affected users.
Please anyone can help me to investigate the root cause of huge numbers of logon failure/4771 events in our domain.
Continue reading...