|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| You will only get these events from domain controllers
|
|
|
|
|
Junior Member
Group: Forum Members
Last Login: 6/21/2010 2:44:06 PM
Posts: 10,
Visits: 29
|
|
Yes, I know. I am looking at the DC logs and do not see them.
Or do you mean that when a user on a workstation tries to login and mistypes their password, the workstation will not generate the 4771/4772 events?
Is there a way, by looking that the DC logs and kerberos related events, to tell which user did not authenticate properly and fail to login from a workstation?
|
|
|
|
|
Junior Member
Group: Forum Members
Last Login: 6/21/2010 2:44:06 PM
Posts: 10,
Visits: 29
|
|
| For domain-joined workstations, we are trying to identify interactive domain logon failures. How would you identify in the logs on the DC, domain interactive logon failures?
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| there's no definite way to do that because the DC doesn't know what kind of logon is taking place at the computer. In Windows logon and authentication are related but not the same thing. Authentication is done by and logged at the DC, while the logon takes place and is logged at the computer being access. That being said, there is a pattern of events you can look for at the DC from which you can pretty dependably "infer" that an interactive logon took place. 672 - identifies the user and "client address" bears the IP address of user's workstation 673 - "service name" = workstation name, so should client IP address 673 - "service name" = name of the DC, client IP matches user's workstation IP 673 - "service name" = krbtgt, client IP matches user's workstation IP sequence not guaranteed but all 4 events will be very close in time < 2 seconds should be good this particular pattern of 4 events indicates an interactive logon because you always have to get a Authentication Ticket (672) and a service ticket (673) to krbtgt. to logon to any computer you have to get a service ticket to the computer (673) but if it is an interactive logon you have to also get a service ticket to the DC for the workstation to read group policy under your credentials.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 10/7/2011 5:49:09 PM
Posts: 1,
Visits: 0
|
|
| Randy, Am I right in inferring from your earlier comments on this thread, that one should see NO type 2 logons on the DC unless they are someone logging in interactively onto the DC itself? Thanks..
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
|
|
|