Windows Security Log Event ID 4769
| Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Windows Server 2025
|
Category
• Subcategory | Account Logon
• Kerberos Service Ticket Operations |
|
Type
|
Success
Failure
|
Corresponding events
in Windows
2003
and before |
673
|
4769: A Kerberos service ticket was requested
On this page
Windows uses this event ID for both successful and failed service ticket requests. If it is a failure event see Failure Code: below.
Whereas event ID 4768 lets you track initial logons through the granting of TGTs, this lets you monitor the granting of service tickets. Service tickets are obtained whenever a user or computer accesses a server on the network. For example, when a user maps a drive to a file server, the resulting service ticket request generates event ID 4769 on the DC.
Result codes:
| Result code |
Kerberos RFC description |
Notes on common failure codes |
| 0x1 |
Client's entry in database has expired |
|
| 0x2 |
Server's entry in database has expired |
|
| 0x3 |
Requested protocol version # not supported |
|
| 0x4 |
Client's key encrypted in old master key |
|
| 0x5 |
Server's key encrypted in old master key |
|
| 0x6 |
Client not found in Kerberos database |
Bad user name, or new computer/user account has not replicated to DC yet |
| 0x7 |
Server not found in Kerberos database |
New computer account has not replicated yet or computer is pre-w2k |
| 0x8 |
Multiple principal entries in database |
|
| 0x9 |
The client or server has a null key |
administrator should reset the password on the account |
| 0xA |
Ticket not eligible for postdating |
|
| 0xB |
Requested start time is later than end time |
|
| 0xC |
KDC policy rejects request |
Workstation restriction |
| 0xD |
KDC cannot accommodate requested option |
|
| 0xE |
KDC has no support for encryption type |
|
| 0xF |
KDC has no support for checksum type |
|
| 0x10 |
KDC has no support for padata type |
|
| 0x11 |
KDC has no support for transited type |
|
| 0x12 |
Clients credentials have been revoked |
Account disabled, expired, locked out, logon hours. |
| 0x13 |
Credentials for server have been revoked |
|
| 0x14 |
TGT has been revoked |
|
| 0x15 |
Client not yet valid - try again later |
|
| 0x16 |
Server not yet valid - try again later |
|
| 0x17 |
Password has expired |
The user’s password has expired. |
| 0x18 |
Pre-authentication information was invalid |
Usually means bad password |
| 0x19 |
Additional pre-authentication required* |
|
| 0x1F |
Integrity check on decrypted field failed |
|
| 0x20 |
Ticket expired |
Frequently logged by computer accounts |
| 0x21 |
Ticket not yet valid |
|
| 0x21 |
Ticket not yet valid |
|
| 0x22 |
Request is a replay |
|
| 0x23 |
The ticket isn't for us |
|
| 0x24 |
Ticket and authenticator don't match |
|
| 0x25 |
Clock skew too great |
Workstation’s clock too far out of sync with the DC’s |
| 0x26 |
Incorrect net address |
IP address change? |
| 0x27 |
Protocol version mismatch |
|
| 0x28 |
Invalid msg type |
|
| 0x29 |
Message stream modified |
|
| 0x2A |
Message out of order |
|
| 0x2C |
Specified version of key is not available |
|
| 0x2D |
Service key not available |
|
| 0x2E |
Mutual authentication failed |
may be a memory allocation failure |
| 0x2F |
Incorrect message direction |
|
| 0x30 |
Alternative authentication method required* |
|
| 0x31 |
Incorrect sequence number in message |
|
| 0x32 |
Inappropriate type of checksum in message |
|
| 0x3C |
Generic error (description in e-text) |
|
| 0x3D |
Field is too long for this implementation |
|
Free Security Log Resources by Randy
Account Information:
- Account Name: logon name of the account that just requested the ticket
- Supplied Realm Name: domain name of the account
- User ID: SID of the account
- MSDS-SupportedEncryptionTypes:
- Available Keys:
Service Information:
- Service Name: the account name of the computer or service the user is requesting the ticket for
- Service ID: SID of the computer or service
- MSDS-SupportedEncryptionTypes:
- Available Keys:
Domain Controller Information:
- MSDS-SupportedEncryptionTypes:
- Available Keys:
Network Information:
- Client Address: IP address where user is present
- Client Port: source port
- Advertized Etypes:
Additional Information:
- Ticket Options: unknown. Please start a discussion if you have information to share on this field.
- Ticket Encryption Type: unknown. Please start a discussion if you have information to share on this field.
- Session Encryption Type:
- Failure Code: error if any - see table above
- Transited Services: indicates which intermediate services have participated in this logon request
Ticket Information:
- Request ticket hash
- Response ticket hash
Supercharger Enterprise
A Kerberos service ticket was requested.
Account Information:
Account Name: bob@ACME.COM
Account Domain: ACME.COM
Logon GUID: {4a5cfd43-84a6-c32e-b6a3-b634f57eafe7}
MSDS-SupportedEncryptionTypes:
Available Keys:
Service Information:
Service Name: WIN-PY3ZJZTXPIL$
Service ID: ACME\WIN-PY3ZJZTXPIL$
MSDS-SupportedEncryptionTypes:
Available Keys:
Domain Controller Information:
MSDS-SupportedEncryptionTypes:
Available Keys:
Network Information:
Client Address: ::ffff:10.42.42.224
Client Port: 50979
Advertized Etypes:
Additional Information:
Ticket Options: 0x40810000
Ticket Encryption Type: 0x12
Session Encryption Type:
Failure Code: 0x0
Transited Services: -
Ticket Information:
Request ticket hash: -
Response ticket hash: -
This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Ticket options, encryption types, and failure codes are defined in RFC 4120.
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection