locked
In Event ID 4770, can the computer downgrade the TGT encryption and if yes Why? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    In Event ID 4770, can the computer downgrade the TGT encryption and if yes Why?
    Tuesday, January 8, 2019 6:15 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    If you mean that you use ATA for detecting the encryption downgrade activity, you can refer to the following article, which introduces the method used for detecting it.

    https://docs.microsoft.com/en-us/advanced-threat-analytics/suspicious-activity-guide

    By the way, this is a forum mainly covering questions about Microsoft Advanced Threat Analytics.

    Best regards,

    Andy Liu

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 9, 2019 8:35 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thank You for the response and yes that was an ATA alert and I understand why the alert was triggered.

    However we are just trying to understand about why a Windows 2016 Server send a renew request by downgrading the TGT encryption. Is this a normal activity by any machine or we need to change some settings on the Source machine.

    Wednesday, January 9, 2019 10:45 AM