Kerberos Authentication ticket RRS feed

  • Question

  • Hello everone

    I have a server 2012 R2 and I get the following error:

    A Kerberos authentication ticket (TGT) was requested.
    Account Information:
     Account Name:  S-1-5-21-262885580-2243684832-3334250267-1001
     Supplied Realm Name: DomainName.LOCAL
     User ID:   NULL SID
    Service Information:
     Service Name:  krbtgt/DomainName.LOCAL
     Service ID:  NULL SID
    Network Information:
     Client Address:  ::1
     Client Port:  0
    Additional Information:
     Ticket Options:  0x40810010
     Result Code:  0x6
     Ticket Encryption Type: 0xFFFFFFFF
     Pre-Authentication Type: -
    Certificate Information:
     Certificate Issuer Name:  
     Certificate Serial Number: 
     Certificate Thumbprint:  
    Certificate information is only provided if a certificate was used for pre-authentication.

    Pre-authentication types, ticket options, encryption types and result codes are defined in RFC

    I get 3304 ticket requests from this SID. But the problem is that I try to find this SID = user and it does not exist.

    Anyone can give me any directions?

    Thank you

    Friday, July 26, 2019 10:24 AM

All replies

  • Hi,

    Thanks for posting in our forum.
    As far as I know, the SID should be a deleted user/group object in your domain.
    I will suggest you check saved credential and scheduler task to see if there has some finding.

    Similar discussion for your reference:
    Best Regards,

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Monday, July 29, 2019 7:09 AM
  • In continuation to William replay

    Service Information:
    Service Name:  krbtgt/DomainName.LOCAL
    Service ID:  NULL SID
    Network Information:
     Client Address:  ::1 
    ::1 is loop back IPV6 address-It means that deleted  ID exist in local (Domain server) system only  
    Account Name:  S-1-5-21-262885580-2243684832-3334250267-1001:It is the SID of an orphaned object in Active Directory. It can be a User Object or Group Object that most likely been deleted.

    check any job is running in task scheduler or any other third party schedulers.

    Monday, July 29, 2019 8:22 AM
  • Anyone knows what kind of processes I could monitor with Process Monitor?
    Monday, July 29, 2019 12:27 PM
  • Hi,

    According to my knowledge, you can try to filter details which contain the SID or filter user to exclude known user name.

    For more help about Process Monitor, I will suggest you refer to the following article.

    Best Regards,

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Friday, August 2, 2019 3:06 AM
  • After a research that I did at my server looking at the domain controller I found out that the unknown Sids that trigger Kerberos TGT are: 

    S-1-5-21-262885580-2243684832-3334250267-1153 is the object id of an old domain computer that I have it in the Active directory Users and Computers / Computers.

    And also the Unknown SID S-1-5-21-262885580-2243684832-3334250267-1001 is the object id of my domain Controller inside the Active directory users and computers / Domain Controllers

    Anyone knows how to fix those two from triggering Kerberos TGT ? 

    Monday, August 12, 2019 12:08 PM