Hello,
I'm receiving many event ID's for 4771 on several domain controllers where I'm getting the below information with many authentication failures but the user accounts are not getting locked out when the default domain policy is set to lockout after 3 unsuccessful attempts. Any thoughts? Thanks
4771,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Thu Dec 27 20:26:01 2012,No User,Kerberos pre-authentication failed. Account Information: Security ID: S-1-5-21-2094812614-1962491401-1202159320-115256 Account Name: bvn0412 Service Information: Service Name: krbtgt/domain.COM Network Information: Client Address: ::ffff:10.12.104.105 Client Port: 62426 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Are your default settings set to a short grace period?