EventID: 4771 Kerberos pre-authentication... Expand / Collapse
Author
Message
Posted 11/27/2019 2:14:55 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/13/2016 1:48:11 PM
Posts: 1, Visits: 0
By the IP address I know the computer its happening on but have no clue what the next step is. There is not info on which process other than a PID thats not in Tasklist when I run it.
Any help would be appreciated.

> Get-WinEvent -FilterHashtable @{LogName = 'Security';data='michael.blower';keywords='4503599
27370496'} | select -First 1 -Property *

Message : Kerberos pre-authentication failed.

Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower

Service Information:
Service Name: krbtgt/xxxxxxxxx

Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52766

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557551219
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 792
ThreadId : 10784
MachineName : SERVER.xxxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:49:38 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}

> Get-WinEvent -FilterHashtable @{LogName = 'Security';data='michael.blower';keywords='4503599
27370496'} | select -First 5 -Property *


Message : Kerberos pre-authentication failed.

Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower

Service Information:
Service Name: krbtgt/xxxxxxxx

Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52766

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557551219
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 792
ThreadId : 10784
MachineName : SERVER.xxxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:49:38 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}

Message : Kerberos pre-authentication failed.

Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower

Service Information:
Service Name: krbtgt/xxxxxx

Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52504

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557550267
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 792
ThreadId : 6984
MachineName : SERVER.xxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:45:43 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}

Message : Kerberos pre-authentication failed.

Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower

Service Information:
Service Name: krbtgt/xxxxxx

Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52500

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557550255
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 792
ThreadId : 1620
MachineName : SERVER.xxxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:45:39 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}

Message : Kerberos pre-authentication failed.

Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower

Service Information:
Service Name: krbtgt/xxxxxxx

Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52498

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557550254
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId :
LogName : Security
ProcessId : 792
ThreadId : 1620
MachineName : SERVER.xxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:45:39 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}

Message : Kerberos pre-authentication failed.

Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower

Service Information:
Service Name: krbtgt/xxxxxxx

Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52496

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557550253
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 792
ThreadId : 1620
MachineName : SERVER.xxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:45:39 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}
Post #8608
Posted 3/7/2020 10:56:44 AM
Junior Member

Junior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior Member

Group: Administrators
Last Login: 4/13/2009 5:07:47 PM
Posts: 22, Visits: 0
So the 0x18 most likely means a bad password. When you open taskman and click on the Servicecs tab you do not see a PID of 792, correct?
Post #8619
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 2:58pm