ColumbiaMarketing
asked on
Microsoft Windows Security Event ID 4771: Kerberos pre-authentication failed
I have an SBS 2011 Standard domain controller and I have noticed a lot of audit failures lately that doesn't make a whole lot of sense to me. This is the Event ID:
Kerberos pre-authentication failed.
Account Information:
Security ID: DOMAIN\SERVER$
Account Name: SERVER$
Service Information:
Service Name: krbtgt/DOMAIN
Network Information:
Client Address: ::1
Client Port: 0
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
It seems like this audit failure is referring to the SBS server itself since the 'Client Address' is always ::1. What would be failing the authentication check on the SBS server since the Account Name points to itself?
Any information is appreciated.
Kerberos pre-authentication failed.
Account Information:
Security ID: DOMAIN\SERVER$
Account Name: SERVER$
Service Information:
Service Name: krbtgt/DOMAIN
Network Information:
Client Address: ::1
Client Port: 0
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
It seems like this audit failure is referring to the SBS server itself since the 'Client Address' is always ::1. What would be failing the authentication check on the SBS server since the Account Name points to itself?
Any information is appreciated.
ASKER
That's the odd part, I haven't installed any software or changed any settings lately at all. The only update that I might suspect is Update Rollup 4 that was just released for SBS 2011 through Windows Update last week, which was installed along with the other security updates. I'm starting to wonder if that is what caused this because I can't seem to track down even the service that is causing this, but it doesn't seem to be causing any issues that I can tell so far.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771
Suspecting certain service or scheduled task having the login credentials invalidated and using local account login. Just trying to isolate if this is norm or after certain installation of software has caused such symptoms. Sometimes even empty password maybe a suspect. Hace to looksbat this PDC other additional core service running