Sign in
 

none
Kerberos Event ID: 4768 | Result Code 0x12

 > 

    Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello everybody!

    We have an old Domain Admin account that we're retiring, the account has been disabled and move to disable OU in AD but seems to be requesting Kerberos authentication ticket (TGT) from one of the DC's. How can resolve the user requested TGT.

    Event ID being generated:

    Log Name: Security 
Source: Microsoft-Windows-Security-Auditing 
Logged: 2/13/2017 12:16:57 PM
Event ID: 4768 
Level: Audit Failure 
User: N/A
Computer: DC1.domain.com

A Kerberos authentication ticket (TGT) was requested.

Account Information:
Account Name:		  AdminAccount
Supplied Realm Name:	  DOMAIN.LOCAL
User ID:	          NULL SID

Service Information:
Service Name:		  krbtgt/DOMAIN.LOCAL
Service ID:		  NULL SID

Network Information:
Client Address:	          ::1 (LocalHost)
Client Port:		  0

Additional Information:
Ticket Options:		  0x40810010
Result Code:	          0x12
Ticket Encryption Type:	  0xFFFFFFFF
Pre-Authentication Type:  -

Certificate Information:
Certificate Issuer Name:		
Certificate Serial Number:	
Certificate Thumbprint:		

Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
    We try to capture with Process Monitor, and it didn't capture anything with filtering the username.

    Thanks and regards.-

    Monday, February 13, 2017 4:29 PM
    |

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    According to my research, the code 0X12 means client’s credentials have been revoked. This might be because of an explicit disabling or because of other restrictions in place on the account. For example: account disabled, expired, or locked out.

    4768(S, F): A Kerberos authentication ticket (TGT) was requested.

    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4768?f=255&MSPPError=-2147217396

    And from the network information in the event log, Client Address: ::1 means the request is from localhost. Client Port 0 for local (localhost) requests.

    Best Regards,

    Alvin Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Todd Heron Wednesday, February 15, 2017 1:35 PM
    Tuesday, February 14, 2017 8:55 AM
    |
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi, Alvwan

    You're right, but the error technet does not report how you can solve this problem with a disabled account was domain admin.

    Is very strange this behavior.

    Best Regards.-

    Tuesday, February 14, 2017 12:37 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi

     You can disable or stop the audit Event 4768 by removing success and failure audit of Kerberos Authentication Service subcategory by using the following command;

    auditpol /set /subcategory:"Kerberos Authentication Service" /success:disable

    Also check for details;

    http://www.morgantechspace.com/2014/05/Event-ID-4768-A-Kerberos-authentication-ticket-was-requested.html

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, February 14, 2017 3:24 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi, Burak Ugur

    I dont wanna disable the Aduit event 4768, because is usefull to detect TGT requested.

    You know any help to fix this?

    Best Regards.-

    Wednesday, February 15, 2017 8:52 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    According to my research, this has often been traced back to a service running on a server under a user account so try checking services.msc.  Also check scheduled tasks and see if there is one set up to run under that user account.

    Best Regards,

    Alvin Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 21, 2017 6:21 AM
    |
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I checking for services and Scheduled Task without any result about the account disable.

    Best Regards.-

    Wednesday, February 22, 2017 5:37 PM
    |
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Currently I have no ideas or suitable ways to figure out the root cause of this Event ID. I will keep researching and give you an update if there is any useful information.

    It is also appreciated that the other members in our forum can share their experience with us about this scenario.

    Best Regards,

    Alvin Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 24, 2017 8:53 AM
    |
    Moderator