Windows Security Log Event ID 672

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryAccount Logon
Type Success
Failure
Corresponding events
in Windows 2008
and Vista
4768 , 4772  

672: Authentication Ticket Granted

On this page

This event varies depending on the OS.

Win2000

This event gets logged on domain controllers only.

At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT. If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID 672 (authentication ticket granted). The User field for this event (and all other events in the Audit account logon event category) doesn't help you determine who the user was; the field always reads SYSTEM. Rather look at the User Name and Supplied Realm Name fields, which identify the user who logged on and the user account's DNS suffix. The User ID field provides the same information in NT style.

Client Address identifies the IP address of the workstation from which the user logged on.

W2k logs other instances of event ID 672 when a computer in the domain needs to authenticate to the DC typically when a workstation boots up or a server restarts. In these instances, you'll find a computer name in the User Name and User ID fields. Computer generated kerberos events are always identifiable by the $ after the computer account's name.

Win2003

This event is logged on domain controllers only and both success and failure instances of this event are logged.

At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT. If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID 672 (authentication ticket granted). The User field for this event (and all other events in the Audit account logon event category) doesn't help you determine who the user was; the field always reads SYSTEM. Rather look at the User Name and Supplied Realm Name fields, which identify the user who logged on and the user account's DNS suffix. The User ID field provides the same information in NT style.

Client Address identifies the IP address of the workstation from which the user logged on.

W2k logs other instances of event ID 672 when a computer in the domain needs to authenticate to the DC typically when a workstation boots up or a server restarts. In these instances, you'll find a computer name in the User Name and User ID fields. Computer generated kerberos events are always identifiable by the $ after the computer account's name.

In W2k failed authentication ticket requests generate event ID 676 but in W3 this event is used for both success and failed requests. The reason for the authentication failure is specified in Result Code.

Microsoft's Comments:

Does not contain any additional information if audit details from logon events 528 and 540 are already being collected. This event records that a Kerberos TGT was granted, actual access will not occur until a service ticket is granted, which is audited by Event 673. If the PATYPE is PKINIT, the logon was a smart card logon.

Free Security Log Resources by Randy

Description Fields in 672

Server 2003:

  •  User Name:  %1
  •  Supplied Realm Name: %2
  •  User ID:   %3
  •  Service Name:  %4
  •  Service ID:  %5
  •  Ticket Options:  %6
  •  Result Code:  %7
  •  Ticket Encryption Type: %8
  •  Pre-Authentication Type: %9
  •  Client Address:  %10
  •  Certificate Issuer Name: %11
  •  Certificate Serial Number: %12
  •  Certificate Thumbprint: %13

Supercharger Free Edition

 

Examples of 672

Win2000

Authentication Ticket Granted:
User Name:Administrator
Supplied Realm Name:ELMW2
User ID:ELMW2\administrator
Service Name:krbtgt
Service ID:ELMW2\krbtgt
Ticket Options:0x40810010
Ticket Encryption Type:0x17
Pre-Authentication Type:2
Client Address:127.0.0.1

Win2003

Authentication Ticket Request:
User Name:Administrator
Supplied Realm Name:elm.local
User ID:S-1-5-21-2121316058-685099279-904526279-500
Service Name:krbtgt
Service ID:ELM\krbtgt
Ticket Options:0x40810010
Result Code:-
Ticket Encryption Type:0x17
Pre-Authentication Type:2
Client Address:10.42.42.171
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources