Service Name field filled with "krbtgt"... Expand / Collapse
Author
Message
Posted 2/10/2015 4:50:30 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/5/2015 1:56:26 AM
Posts: 3, Visits: 64
It seems that the Service Name field in a event 673 will record the computer name of the server accessed by the user account. But I also saw many 673s with Service Name of "krbtgt." Does any body know what's the meaning of it? I know its abbreviation of kerberos ticket granting ticket or something, just as what we will see in 672. But what does it means when it appears in event 673?
Post #2806
Posted 2/11/2015 9:09:31 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 212, Visits: 0
The Service Name field identifies which service the DC granted the user a ticket, so this can be a workstation or the krbtgt service https://msdn.microsoft.com/en-us/library/bb742435.aspx
Post #2809
Posted 2/11/2015 10:38:32 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/5/2015 1:56:26 AM
Posts: 3, Visits: 64
Thanks for the reply.

I still may not fully understand so I would like to discuss more about it. In the referenced article it is stated that "You'll also see occasional instances of event ID 673 in which the User Name is a normal user account and the Service ID field is krbtgt." (It should be Service Name rather than Service ID?) But in my environment indeed I could see lots of such instance counting up to around 20% of all 673s for a given period.

To my understanding, a domain account user first connects to DC for a kerberos TGT (and this is recorded as 672). After that, any subsequent access to system in the forest will further requires a service ticket from DC, which is recorded as 673. It is intuitive that one accesses a system and require a service ticket to that system, where the Service Name is filled with the name of that system (computer name of a file server for example.) My question is that what does it mean for a service ticket granted for "krbtgt" itself? Or practically speaking, can we safely ignore event 673s with Service Name of "krbtgt"?

Post #2810
Posted 3/1/2015 7:58:17 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 212, Visits: 0
Could you copy a few samples of the event in question?
Post #2814
Posted 3/3/2015 10:30:16 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/5/2015 1:56:26 AM
Posts: 3, Visits: 64
Two examples:
(I've masked the UserName and DomainName. They are the same for these two events in case)

Ticket Encryption Type: 0x17, Failure Code: -, EventCode: 673, Client Address: 10.5.9.34, Ticket Options: 0x60810010, User Domain: YYY, ts: 1422500393, Service ID: %S-1-5-21-1172717557-2008772951-1947940980-502, User Name: XXX$@YYY, Transited Services: -, Service Name: krbtgt, Logon GUID: 5029c8bc-e64c-d069-b24b-0d3f04176fc8

Ticket Encryption Type: -, Failure Code: 0xE, EventCode: 673, Client Address: 10.5.9.34, Ticket Options: 0x60810010, User Domain: YYY, ts: 1422500393, Service ID: -, User Name: XXX$@PH.TRENDNET.ORG, Transited Services: -, Service Name: krbtgt/YYY, Logon GUID: -

Indeed, I even saw some Domain Account Name appeared in the Service Name field. Don't know the meaning of it either.
Post #2818
Posted 4/7/2015 10:22:11 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 212, Visits: 0
I have observed similar activity, I do not think this is a security issue and you may be able to safely ignore it if you haven't noticed additional anomalous activity.
Post #3254
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 5:54pm