Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Microsoft Windows Security Event ID 4771: Kerberos pre-authentication failed

Posted on 2013-11-18
3
Medium Priority
?
18,225 Views
Last Modified: 2014-12-23
I have an SBS 2011 Standard domain controller and I have noticed a lot of audit failures lately that doesn't make a whole lot of sense to me.  This is the Event ID:

Kerberos pre-authentication failed.

Account Information:
      Security ID:            DOMAIN\SERVER$
      Account Name:            SERVER$

Service Information:
      Service Name:            krbtgt/DOMAIN

Network Information:
      Client Address:            ::1
      Client Port:            0

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.


It seems like this audit failure is referring to the SBS server itself since the 'Client Address' is always ::1.  What would be failing the authentication check on the SBS server since the Account Name points to itself?

Any information is appreciated.
0
Comment
Question by:ColumbiaMarketing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 65

Expert Comment

by:btan
ID: 39658739
Based from the event on the failure code,  it may be due to bad password
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771

Suspecting certain service or scheduled task having the login credentials invalidated and using local account login. Just trying to isolate if this is norm or after certain installation of software has caused such symptoms. Sometimes even empty password maybe a suspect. Hace to looksbat this PDC other additional core service running
0
 

Author Comment

by:ColumbiaMarketing
ID: 39661113
That's the odd part, I haven't installed any software or changed any settings lately at all.  The only update that I might suspect is Update Rollup 4 that was just released for SBS 2011 through Windows Update last week, which was installed along with the other security updates.  I'm starting to wonder if that is what caused this because I can't seem to track down even the service that is causing this, but it doesn't seem to be causing any issues that I can tell so far.
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39661363
Will be tough to validate and probably need to trace back event log to see such occurence prior and after the roll up patch period. Client address with ::1 is indicative of local machine and in ths case, your PDC.

There is one instance in public sharing that such symptom can be due to server being a DHCP server. Under the IPv4 properties, the DNS dynamic updates registration credentials had the administrative account saved with the wrong password. Changing the saved password seems to have corrected my issues.

Not sure if that applies but likely it has to do with some "newly" added service on account that is having the wrong password. Probably one means to isolate is by disabling services to see if such 4771 still persists and at least eventually the service(s) can be identified.  

Also we may want to see if there are prior event such as below on who has last login and probably that can give some hints or leads for more questioning.

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768
2

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What we learned in Webroot's webinar on multi-vector protection.
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question