Windows Security Log Event ID 4713

4713: Kerberos policy was changed

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

Windows logs 4713 when it detects a change to the the domain's Kerberos policy. Kerberos policy is defined in GPOs linked to the root of the domain under Computer Configuration\Windows Settings\Security Settings\Account Policy\Kerberos Policy.

Unfortunately the Subject fields don't identify who actually changed the policy because Kerberos policy isn't directly configured by administrators. Instead it is edited in a group policy object which then gets applied to the computer. Therefore this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs.

Subject:

The ID and logon session of the user that changed the policy - always the local system - see note above.

• Security ID:  The SID of the account.
• Account Name: The account logon name.
• Account Domain: The domain or - in the case of local accounts - computer name.
• Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 4713

Changes Made:

The old and new values are displayed for each Kerberos policy.  These settings correspond to Computer Configuration\Windows Settings\Security Settings\Account Policy\Kerberos Policy in group policy.

KerOpts:	AuthenticationOptions	authentication options used in ADSI to bind to directory services objects ADS_SECURE_AUTHENTICATION 0x1, ADS_USE_ENCRYPTION 0x2, ADS_USE_SSL 0x2, ADS_READONLY_SERVER 0x4, ADS_PROMPT_CREDENTIALS 0x8, ADS_NO_AUTHENTICATION 0x10, ADS_FAST_BIND 0x20, ADS_USE_SIGNING 0x40, ADS_USE_SEALING 0x80
KerMinT:	MinTicketAge	minimum time period, in hours, that a user's ticket-granting ticket (TGT) can be used for Kerberos authentication before a request can be made to renew the ticket
KerMaxT:	MaxTicketAge	maximum amount of time (in hours) that a user's ticket-granting ticket (TGT) may be used for the purpose of Kerberos authentication. When a user's TGT expires, a new one must be requested or the existing one must be renewed
KerMaxR:	MaxRenewAge	time period, in days, during which a user's ticket-granting ticket (TGT) can be renewed for purposes of Kerberos authentication
KerProxy:	ProxyLifetime	unknown.  If you have information to share on this field please start a discussion!
KerLogoff:	ForceLogoff	MSDN: "Used in computing the kick off time in SamIGetAccountRestrictions. Logoff time minus Force Log off equals kick off time"

Supercharger Enterprise

Load Balancing for Windows Event Collection

 

Mini-Seminars Covering Event ID 4713 Building a Security Dashboard for Your Senior Executives Monitoring Active Directory Changes for Compliance: Top 32 Security Events IDs to Watch and What They Mean

 

Upcoming Webinars Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy