Failed Logon attempts

Hello I'm seeing a bunch of failed logon attempts, what's confusing me is the usernames.  Rather than the normal user naming convention, first.last or first.mi.last I'm seeing 1234567890@mil
I assume these are users CAC ID's but not sure why its attempting to login this way.  I recently added AD Certificate Services Roll would this have anything to do with it?

A Kerberos authentication ticket (TGT) was requested.

Account Information:
      Account Name:            1234567890@mil
      Supplied Realm Name:      DOMAIN NAME
      User ID:                  NULL SID

Service Information:
      Service Name:            krbtgt/DOMAIN
      Service ID:            NULL SID

Network Information:
      Client Address:            ::ffff:XXX.XX.XXX.XXX
      Client Port:            7130

Additional Information:
      Ticket Options:            0x40810010
      Result Code:            0x6
      Ticket Encryption Type:      0xffffffff
      Pre-Authentication Type:      -

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:      
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
ManieyaK_Citrix Systems / Network AdminAsked:
Who is Participating?
 
Ajit SinghConnect With a Mentor Commented:
Use the Process Monitor and check if any custom service was querying the certificate.

And if so disable the service.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4768
https://www.experts-exchange.com/questions/28613245/Tracking-failed-Logon-attempts.html

Hope this helps!
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
Account Information:
      Account Name:            1234567890@mil
      Supplied Realm Name:      DOMAIN NAME
      User ID:                  NULL SID


they didn't get a kerberos ticket so don't worry about it..

Use the log parser to determine if you have to block ip's
https://www.sherweb.com/blog/using-log-parser-to-query-event-log-data/
0
 
Shaun VermaakConnect With a Mentor Technical Specialist/DeveloperCommented:
Enable NTLM logging (not normal auditing) as per this article and see if you get more info back
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html
0
 
ManieyaK_Citrix Systems / Network AdminAuthor Commented:
Something else i just noticed these logon attempts are static-xxx-xx-xxx-xxx.ISP all other failed attempts that have a valid username are logon attempts to actual server.  The static IP is the static IP for our Website.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.