Solved

Microsoft Windows Security Event ID 4771: Kerberos pre-authentication failed

Posted on 2013-11-18
3
16,390 Views
Last Modified: 2014-12-23
I have an SBS 2011 Standard domain controller and I have noticed a lot of audit failures lately that doesn't make a whole lot of sense to me.  This is the Event ID:

Kerberos pre-authentication failed.

Account Information:
      Security ID:            DOMAIN\SERVER$
      Account Name:            SERVER$

Service Information:
      Service Name:            krbtgt/DOMAIN

Network Information:
      Client Address:            ::1
      Client Port:            0

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x18
      Pre-Authentication Type:      2

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.


It seems like this audit failure is referring to the SBS server itself since the 'Client Address' is always ::1.  What would be failing the authentication check on the SBS server since the Account Name points to itself?

Any information is appreciated.
0
Comment
Question by:ColumbiaMarketing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 63

Expert Comment

by:btan
ID: 39658739
Based from the event on the failure code,  it may be due to bad password
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771

Suspecting certain service or scheduled task having the login credentials invalidated and using local account login. Just trying to isolate if this is norm or after certain installation of software has caused such symptoms. Sometimes even empty password maybe a suspect. Hace to looksbat this PDC other additional core service running
0
 

Author Comment

by:ColumbiaMarketing
ID: 39661113
That's the odd part, I haven't installed any software or changed any settings lately at all.  The only update that I might suspect is Update Rollup 4 that was just released for SBS 2011 through Windows Update last week, which was installed along with the other security updates.  I'm starting to wonder if that is what caused this because I can't seem to track down even the service that is causing this, but it doesn't seem to be causing any issues that I can tell so far.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39661363
Will be tough to validate and probably need to trace back event log to see such occurence prior and after the roll up patch period. Client address with ::1 is indicative of local machine and in ths case, your PDC.

There is one instance in public sharing that such symptom can be due to server being a DHCP server. Under the IPv4 properties, the DNS dynamic updates registration credentials had the administrative account saved with the wrong password. Changing the saved password seems to have corrected my issues.

Not sure if that applies but likely it has to do with some "newly" added service on account that is having the wrong password. Probably one means to isolate is by disabling services to see if such 4771 still persists and at least eventually the service(s) can be identified.  

Also we may want to see if there are prior event such as below on who has last login and probably that can give some hints or leads for more questioning.

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768
2

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question