none
Kerberos Authentication ticket RRS feed

  • Question

  • Hello everone

    I have a server 2012 R2 and I get the following error:

    A Kerberos authentication ticket (TGT) was requested.
    Account Information:
     Account Name:  S-1-5-21-262885580-2243684832-3334250267-1001
     Supplied Realm Name: DomainName.LOCAL
     User ID:   NULL SID
    Service Information:
     Service Name:  krbtgt/DomainName.LOCAL
     Service ID:  NULL SID
    Network Information:
     Client Address:  ::1
     Client Port:  0
    Additional Information:
     Ticket Options:  0x40810010
     Result Code:  0x6
     Ticket Encryption Type: 0xFFFFFFFF
     Pre-Authentication Type: -
    Certificate Information:
     Certificate Issuer Name:  
     Certificate Serial Number: 
     Certificate Thumbprint:  
    Certificate information is only provided if a certificate was used for pre-authentication.

    Pre-authentication types, ticket options, encryption types and result codes are defined in RFC

    I get 3304 ticket requests from this SID. But the problem is that I try to find this SID = user and it does not exist.

    Anyone can give me any directions?

    Thank you

    Friday, July 26, 2019 10:24 AM

All replies

  • Hi,

    Thanks for posting in our forum.
    As far as I know, the SID should be a deleted user/group object in your domain.
    I will suggest you check saved credential and scheduler task to see if there has some finding.

    Similar discussion for your reference:
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/97986a1a-95c4-4474-9874-db1c57d5fdff/what-is-this-or-who-is-this-s1521196040896116042217766820033301003?forum=winservergen
    Best Regards,
    William 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 29, 2019 7:09 AM
    Moderator
  • In continuation to William replay

    Service Information:
    Service Name:  krbtgt/DomainName.LOCAL
    Service ID:  NULL SID
    Network Information:
     Client Address:  ::1 
    ::1 is loop back IPV6 address-It means that deleted  ID exist in local (Domain server) system only  
    Account Name:  S-1-5-21-262885580-2243684832-3334250267-1001:It is the SID of an orphaned object in Active Directory. It can be a User Object or Group Object that most likely been deleted.

    check any job is running in task scheduler or any other third party schedulers.

    Monday, July 29, 2019 8:22 AM
  • Anyone knows what kind of processes I could monitor with Process Monitor?
    Monday, July 29, 2019 12:27 PM
  • Hi,

    According to my knowledge, you can try to filter details which contain the SID or filter user to exclude known user name.

    For more help about Process Monitor, I will suggest you refer to the following article.
    https://docs.microsoft.com/en-us/sysinternals/learn/troubleshooting-book

    Best Regards,
    William

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 2, 2019 3:06 AM
    Moderator
  • After a research that I did at my server looking at the domain controller I found out that the unknown Sids that trigger Kerberos TGT are: 

    S-1-5-21-262885580-2243684832-3334250267-1153 is the object id of an old domain computer that I have it in the Active directory Users and Computers / Computers.

    And also the Unknown SID S-1-5-21-262885580-2243684832-3334250267-1001 is the object id of my domain Controller inside the Active directory users and computers / Domain Controllers

    Anyone knows how to fix those two from triggering Kerberos TGT ? 

    Monday, August 12, 2019 12:08 PM