Solved

Microsoft Windows Security Event ID 4771: Kerberos pre-authentication failed

Posted on 2013-11-18
3
16,089 Views
Last Modified: 2014-12-23
I have an SBS 2011 Standard domain controller and I have noticed a lot of audit failures lately that doesn't make a whole lot of sense to me.  This is the Event ID:

Kerberos pre-authentication failed.

Account Information:
      Security ID:            DOMAIN\SERVER$
      Account Name:            SERVER$

Service Information:
      Service Name:            krbtgt/DOMAIN

Network Information:
      Client Address:            ::1
      Client Port:            0

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.


It seems like this audit failure is referring to the SBS server itself since the 'Client Address' is always ::1.  What would be failing the authentication check on the SBS server since the Account Name points to itself?

Any information is appreciated.
0
Comment
Question by:ColumbiaMarketing
  • 2
3 Comments
 
LVL 63

Expert Comment

by:btan
ID: 39658739
Based from the event on the failure code,  it may be due to bad password
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771

Suspecting certain service or scheduled task having the login credentials invalidated and using local account login. Just trying to isolate if this is norm or after certain installation of software has caused such symptoms. Sometimes even empty password maybe a suspect. Hace to looksbat this PDC other additional core service running
0
 

Author Comment

by:ColumbiaMarketing
ID: 39661113
That's the odd part, I haven't installed any software or changed any settings lately at all.  The only update that I might suspect is Update Rollup 4 that was just released for SBS 2011 through Windows Update last week, which was installed along with the other security updates.  I'm starting to wonder if that is what caused this because I can't seem to track down even the service that is causing this, but it doesn't seem to be causing any issues that I can tell so far.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39661363
Will be tough to validate and probably need to trace back event log to see such occurence prior and after the roll up patch period. Client address with ::1 is indicative of local machine and in ths case, your PDC.

There is one instance in public sharing that such symptom can be due to server being a DHCP server. Under the IPv4 properties, the DNS dynamic updates registration credentials had the administrative account saved with the wrong password. Changing the saved password seems to have corrected my issues.

Not sure if that applies but likely it has to do with some "newly" added service on account that is having the wrong password. Probably one means to isolate is by disabling services to see if such 4771 still persists and at least eventually the service(s) can be identified.  

Also we may want to see if there are prior event such as below on who has last login and probably that can give some hints or leads for more questioning.

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768
2

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question