Forum

Ultimate Windows Security Forum » Security Log » 4771 - Kerberos pre-authentication failed » EventID: 4771 Kerberos pre-authentication...

EventID: 4771 Kerberos pre-authentication...

Rate Topic

Display Mode

Topic Options

Author

Message

Michael.Blower

Posted 11/27/2019 2:14:55 PM

Forum Newbie

Group: Forum Members
Last Login: 7/13/2016 1:48:11 PM
Posts: 1, Visits: 0

By the IP address I know the computer its happening on but have no clue what the next step is. There is not info on which process other than a PID thats not in Tasklist when I run it.
Any help would be appreciated.

> Get-WinEvent -FilterHashtable @{LogName = 'Security';data='michael.blower';keywords='4503599
27370496'} | select -First 1 -Property *

Message : Kerberos pre-authentication failed.

Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower

Service Information:
Service Name: krbtgt/xxxxxxxxx

Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52766

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557551219
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 792
ThreadId : 10784
MachineName : SERVER.xxxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:49:38 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}

> Get-WinEvent -FilterHashtable @{LogName = 'Security';data='michael.blower';keywords='4503599
27370496'} | select -First 5 -Property *

Message : Kerberos pre-authentication failed.

Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower

Service Information:
Service Name: krbtgt/xxxxxxxx

Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52766

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557551219
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 792
ThreadId : 10784
MachineName : SERVER.xxxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:49:38 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}

Message : Kerberos pre-authentication failed.

Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower

Service Information:
Service Name: krbtgt/xxxxxx

Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52504

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557550267
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 792
ThreadId : 6984
MachineName : SERVER.xxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:45:43 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}

Message : Kerberos pre-authentication failed.

Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower

Service Information:
Service Name: krbtgt/xxxxxx

Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52500

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557550255
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 792
ThreadId : 1620
MachineName : SERVER.xxxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:45:39 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}

Message : Kerberos pre-authentication failed.

Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower

Service Information:
Service Name: krbtgt/xxxxxxx

Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52498

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557550254
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId :
LogName : Security
ProcessId : 792
ThreadId : 1620
MachineName : SERVER.xxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:45:39 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}

Message : Kerberos pre-authentication failed.

Account Information:
Security ID: S-1-5-21-1313590716-3451039330-1803141829-9999
Account Name: michael.blower

Service Information:
Service Name: krbtgt/xxxxxxx

Network Information:
Client Address: ::ffff:192.168.1.187
Client Port: 52496

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many
fields in this event might not be present.
Id : 4771
Version : 0
Qualifiers :
Level : 0
Task : 14339
Opcode : 0
Keywords : -9218868437227405312
RecordId : 557550253
ProviderName : Microsoft-Windows-Security-Auditing
ProviderId : 54849625-5478-4994-a5ba-3e3b0328c30d
LogName : Security
ProcessId : 792
ThreadId : 1620
MachineName : SERVER.xxxxxx.COM
UserId :
TimeCreated : 11/27/2019 10:45:39 AM
ActivityId :
RelatedActivityId :
ContainerLog : security
MatchedQueryIds : {}
Bookmark : System.Diagnostics.Eventing.Reader.EventBookmark
LevelDisplayName : Information
OpcodeDisplayName : Info
TaskDisplayName : Kerberos Authentication Service
KeywordsDisplayNames : {Audit Failure}
Properties : {System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty,
System.Diagnostics.Eventing.Reader.EventProperty...}

Post #8608

bjvista

Posted 3/7/2020 10:56:44 AM

Junior Member

Group: Administrators
Last Login: 4/13/2009 5:07:47 PM
Posts: 23, Visits: 0

So the 0x18 most likely means a bad password. When you open taskman and click on the Servicecs tab you do not see a PID of 792, correct?

Post #8619

« Prev Topic | Next Topic »

Permissions

All times are GMT -5:00, Time now is 1:55am

Upcoming Webinars

Tier Zero: What It Is, Its Importance, Its Boundaries, and Detecting Out-of-Bounds Activity

Additional Resources

Home

Forum

User name:
Password:
	/ Forgot?
	Register

Home

About | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.