none
unable to find failed logins

    Question

  • Windows Server 2008 R2 sp1

    we are required to audit logons specially failed logon attempts. so i enable the following in GPO:

    for testing, i intentionally tried to login with wrong passwords. then i checked the DC event viewer. only thing i could find there are event IDs 4634 (Logoff), 4678 (some Kerberos service), 4768 (some Kerberos audit failure), and 4624 (Logon).

    how to find or catch failed logon attempts then?

    Monday, August 31, 2015 2:33 PM

All replies

  • Hi,

    Thanks for your post.

    Have you tried to run gpupdate /force before doing the test?

    Do this on the "Default Domain Controller" Policy to apply to the DC's? You need to edit on Default Domain Controller policy, otherwise you need to create new GPO and link it to the Domain Controllers OU.

    And for event 4768, when a user logs on at a workstation with their domain account, the workstation contacts domain controller via Kerberos and requests a ticket granting ticket.  If the user fails authentication, the domain controllers logs event ID 4771 or an audit failure instance 4768. 

    If the user’s credentials authentication checks out, the domain controller creates a TGT, sends that ticket back to the workstation, and logs event ID 4768.

    If authentication succeeds and the domain controller sends back a TGT, the workstation creates a logon session and logs event ID 4624 to the local security log

    Please check the following articles:

    Audit Kerberos Authentication Service

    https://technet.microsoft.com/en-us/library/Dd772702%28v=WS.10%29.aspx?f=255&MSPPError=-2147217396

    Following a User’s Logon Tracks throughout the Windows Domain

    http://www.eventtracker.com/newsletters/following-a-users-logon-tracks-throughout-the-windows-domain/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 01, 2015 5:57 AM
    Moderator
  • Here is another informative article that should worth reading for you : http://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/
    Wednesday, September 02, 2015 10:21 AM
  • "If the user fails authentication, the domain controllers logs event ID 4771 or an audit failure instance 4768.  The result code in either event specifies the reason for why authentication failed"

    in event ID 4771, how do you interpret the result code? i need to know if it's password failure or something else.

    Sunday, September 06, 2015 6:50 AM
  • Hi Reno,

     4771 (Kerberos Pre-Authentication Failure), this occurs when something is mapped with an account and password. You could also check out the below similar thread below:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/6187d7e2-d38a-4ecd-bf80-12ce3589c8e1/account-locked-event-4771-failure-code-0x18?forum=winserversecurity

    Best Regards,

    Mary Dong


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 08, 2015 1:12 AM
    Moderator
  • hi,

    i was hoping there'd be a table for the failure codes mean? from that link provided, all i get is what 0x18 mean. but what about the other failure codes? if Windows can assign a failure code to an event, surely somewhere there is a table that exists to lookup what they mean.

    Tuesday, September 08, 2015 6:02 AM