Solved

Event ID 4771 Kerberos Pre-Authentication Errors

Posted on 2016-10-18
2
47 Views
Last Modified: 2016-11-28
I am getting a lot of 4771 Kerberos Pre-authentication failed errors.
How can I stop them from occurring?

Thanks
0
Comment
Question by:splitrockit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
2 Comments
 
LVL 11

Expert Comment

by:loftyworm
ID: 41848918
Can you post some of the events?

It all depends on what is causing it.
0
 
LVL 11

Accepted Solution

by:
loftyworm earned 500 total points
ID: 41848924
I found this to help you look in the event better
"
This event is logged on domain controllers only and only failure instances of this event are logged.

At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT. If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID  4768 (authentication ticket granted).  

If the ticket request fails Windows will either log this event, failure 4771, or 4768 if the problem arose during "pre-authentication".  In Windows Kerberos, password verification takes place during pre-authentication.

The User field for this event (and all other events in the Audit account logon event category) doesn't help you determine who the user was; the field always reads N/A. Rather look at the Account Information: fields, which identify the user who logged on and the user account's DNS suffix. The User ID field provides the SID of the account.

Windows logs other instances of event ID 4768 when a computer in the domain needs to authenticate to the DC typically when a workstation boots up or a server restarts. In these instances, you'll find a computer name in the User Name and fields. Computer generated kerberos events are always identifiable by the $ after the computer account's name.
"

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In my previous 24 VMware Articles (http://www.experts-exchange.com/ARTH_1864316.html?arthOrderBy=3&arthSort=1#arth), most featured Intermediate VMware Topics. My next series of articles concentrated on topics for the VMware Novice;   If you would…
This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question