Failed Logon attempts

Hello I'm seeing a bunch of failed logon attempts, what's confusing me is the usernames.  Rather than the normal user naming convention, first.last or first.mi.last I'm seeing 1234567890@mil
I assume these are users CAC ID's but not sure why its attempting to login this way.  I recently added AD Certificate Services Roll would this have anything to do with it?

A Kerberos authentication ticket (TGT) was requested.

Account Information:
      Account Name:            1234567890@mil
      Supplied Realm Name:      DOMAIN NAME
      User ID:                  NULL SID

Service Information:
      Service Name:            krbtgt/DOMAIN
      Service ID:            NULL SID

Network Information:
      Client Address:            ::ffff:XXX.XX.XXX.XXX
      Client Port:            7130

Additional Information:
      Ticket Options:            0x40810010
      Result Code:            0x6
      Ticket Encryption Type:      0xffffffff
      Pre-Authentication Type:      -

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:      
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
ManieyaK_CSSPAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
Account Information:
      Account Name:            1234567890@mil
      Supplied Realm Name:      DOMAIN NAME
      User ID:                  NULL SID


they didn't get a kerberos ticket so don't worry about it..

Use the log parser to determine if you have to block ip's
https://www.sherweb.com/blog/using-log-parser-to-query-event-log-data/
0
Shaun VermaakTechnical Specialist IVCommented:
Enable NTLM logging (not normal auditing) as per this article and see if you get more info back
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html
0
Ajit SinghCommented:
Use the Process Monitor and check if any custom service was querying the certificate.

And if so disable the service.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4768
https://www.experts-exchange.com/questions/28613245/Tracking-failed-Logon-attempts.html

Hope this helps!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ManieyaK_CSSPAuthor Commented:
Something else i just noticed these logon attempts are static-xxx-xx-xxx-xxx.ISP all other failed attempts that have a valid username are logon attempts to actual server.  The static IP is the static IP for our Website.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.