?
Solved

Microsoft Windows Security Event ID 4771: Kerberos pre-authentication failed

Posted on 2013-11-18
3
Medium Priority
?
17,509 Views
Last Modified: 2014-12-23
I have an SBS 2011 Standard domain controller and I have noticed a lot of audit failures lately that doesn't make a whole lot of sense to me.  This is the Event ID:

Kerberos pre-authentication failed.

Account Information:
      Security ID:            DOMAIN\SERVER$
      Account Name:            SERVER$

Service Information:
      Service Name:            krbtgt/DOMAIN

Network Information:
      Client Address:            ::1
      Client Port:            0

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.


It seems like this audit failure is referring to the SBS server itself since the 'Client Address' is always ::1.  What would be failing the authentication check on the SBS server since the Account Name points to itself?

Any information is appreciated.
0
Comment
Question by:ColumbiaMarketing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 64

Expert Comment

by:btan
ID: 39658739
Based from the event on the failure code,  it may be due to bad password
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771

Suspecting certain service or scheduled task having the login credentials invalidated and using local account login. Just trying to isolate if this is norm or after certain installation of software has caused such symptoms. Sometimes even empty password maybe a suspect. Hace to looksbat this PDC other additional core service running
0
 

Author Comment

by:ColumbiaMarketing
ID: 39661113
That's the odd part, I haven't installed any software or changed any settings lately at all.  The only update that I might suspect is Update Rollup 4 that was just released for SBS 2011 through Windows Update last week, which was installed along with the other security updates.  I'm starting to wonder if that is what caused this because I can't seem to track down even the service that is causing this, but it doesn't seem to be causing any issues that I can tell so far.
0
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 39661363
Will be tough to validate and probably need to trace back event log to see such occurence prior and after the roll up patch period. Client address with ::1 is indicative of local machine and in ths case, your PDC.

There is one instance in public sharing that such symptom can be due to server being a DHCP server. Under the IPv4 properties, the DNS dynamic updates registration credentials had the administrative account saved with the wrong password. Changing the saved password seems to have corrected my issues.

Not sure if that applies but likely it has to do with some "newly" added service on account that is having the wrong password. Probably one means to isolate is by disabling services to see if such 4771 still persists and at least eventually the service(s) can be identified.  

Also we may want to see if there are prior event such as below on who has last login and probably that can give some hints or leads for more questioning.

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768
2

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question