Solved

Microsoft Windows Security Event ID 4771: Kerberos pre-authentication failed

Posted on 2013-11-18
3
15,172 Views
Last Modified: 2014-12-23
I have an SBS 2011 Standard domain controller and I have noticed a lot of audit failures lately that doesn't make a whole lot of sense to me.  This is the Event ID:

Kerberos pre-authentication failed.

Account Information:
      Security ID:            DOMAIN\SERVER$
      Account Name:            SERVER$

Service Information:
      Service Name:            krbtgt/DOMAIN

Network Information:
      Client Address:            ::1
      Client Port:            0

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.


It seems like this audit failure is referring to the SBS server itself since the 'Client Address' is always ::1.  What would be failing the authentication check on the SBS server since the Account Name points to itself?

Any information is appreciated.
0
Comment
Question by:ColumbiaMarketing
  • 2
3 Comments
 
LVL 61

Expert Comment

by:btan
ID: 39658739
Based from the event on the failure code,  it may be due to bad password
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771

Suspecting certain service or scheduled task having the login credentials invalidated and using local account login. Just trying to isolate if this is norm or after certain installation of software has caused such symptoms. Sometimes even empty password maybe a suspect. Hace to looksbat this PDC other additional core service running
0
 

Author Comment

by:ColumbiaMarketing
ID: 39661113
That's the odd part, I haven't installed any software or changed any settings lately at all.  The only update that I might suspect is Update Rollup 4 that was just released for SBS 2011 through Windows Update last week, which was installed along with the other security updates.  I'm starting to wonder if that is what caused this because I can't seem to track down even the service that is causing this, but it doesn't seem to be causing any issues that I can tell so far.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39661363
Will be tough to validate and probably need to trace back event log to see such occurence prior and after the roll up patch period. Client address with ::1 is indicative of local machine and in ths case, your PDC.

There is one instance in public sharing that such symptom can be due to server being a DHCP server. Under the IPv4 properties, the DNS dynamic updates registration credentials had the administrative account saved with the wrong password. Changing the saved password seems to have corrected my issues.

Not sure if that applies but likely it has to do with some "newly" added service on account that is having the wrong password. Probably one means to isolate is by disabling services to see if such 4771 still persists and at least eventually the service(s) can be identified.  

Also we may want to see if there are prior event such as below on who has last login and probably that can give some hints or leads for more questioning.

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768
2

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now