Windows Security Log Event ID 672
Operating Systems |
Windows Server 2000
Windows 2003 and XP
|
Category | Account Logon |
Type
|
Success
Failure
|
Corresponding events
in Windows
2008 and Vista |
4768
,
4772
|
672: Authentication Ticket Granted
On this page
This event varies depending on the OS.
Win2000
This event gets logged on domain controllers only.
At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT. If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID 672 (authentication ticket granted). The User field for this event (and all other events in the Audit account logon event category) doesn't help you determine who the user was; the field always reads SYSTEM. Rather look at the User Name and Supplied Realm Name fields, which identify the user who logged on and the user account's DNS suffix. The User ID field provides the same information in NT style.
Client Address identifies the IP address of the workstation from which the user logged on.
W2k logs other instances of event ID 672 when a computer in the domain needs to authenticate to the DC typically when a workstation boots up or a server restarts. In these instances, you'll find a computer name in the User Name and User ID fields. Computer generated kerberos events are always identifiable by the $ after the computer account's name.
Win2003
This event is logged on domain controllers only and both success and failure instances of this event are logged.
At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT. If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID 672 (authentication ticket granted). The User field for this event (and all other events in the Audit account logon event category) doesn't help you determine who the user was; the field always reads SYSTEM. Rather look at the User Name and Supplied Realm Name fields, which identify the user who logged on and the user account's DNS suffix. The User ID field provides the same information in NT style.
Client Address identifies the IP address of the workstation from which the user logged on.
W2k logs other instances of event ID 672 when a computer in the domain needs to authenticate to the DC typically when a workstation boots up or a server restarts. In these instances, you'll find a computer name in the User Name and User ID fields. Computer generated kerberos events are always identifiable by the $ after the computer account's name.
In W2k failed authentication ticket requests generate event ID 676 but in W3 this event is used for both success and failed requests. The reason for the authentication failure is specified in Result Code.
Microsoft's Comments:
Does not contain any additional information if audit details from logon events 528 and 540 are already being collected. This event records that a Kerberos TGT was granted, actual access will not occur until a service ticket is granted, which is audited by Event 673. If the PATYPE is PKINIT, the logon was a smart card logon.
Free Security Log Resources by Randy
Server 2003:
- User Name: %1
- Supplied Realm Name: %2
- User ID: %3
- Service Name: %4
- Service ID: %5
- Ticket Options: %6
- Result Code: %7
- Ticket Encryption Type: %8
- Pre-Authentication Type: %9
- Client Address: %10
- Certificate Issuer Name: %11
- Certificate Serial Number: %12
- Certificate Thumbprint: %13
Supercharger Free Edition
Win2000
Authentication Ticket Granted:
User Name:Administrator
Supplied Realm Name:ELMW2
User ID:ELMW2\administrator
Service Name:krbtgt
Service ID:ELMW2\krbtgt
Ticket Options:0x40810010
Ticket Encryption Type:0x17
Pre-Authentication Type:2
Client Address:127.0.0.1
Win2003
Authentication Ticket Request:
User Name:Administrator
Supplied Realm Name:elm.local
User ID:S-1-5-21-2121316058-685099279-904526279-500
Service Name:krbtgt
Service ID:ELM\krbtgt
Ticket Options:0x40810010
Result Code:-
Ticket Encryption Type:0x17
Pre-Authentication Type:2
Client Address:10.42.42.171
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection