none
Kerberos Event ID: 4768 | Result Code 0x12

    Question

  • Hello everybody!

    We have an old Domain Admin account that we're retiring, the account has been disabled and move to disable OU in AD but seems to be requesting Kerberos authentication ticket (TGT) from one of the DC's. How can resolve the user requested TGT.

    Event ID being generated:

    Log Name: Security 
    Source: Microsoft-Windows-Security-Auditing 
    Logged: 2/13/2017 12:16:57 PM
    Event ID: 4768 
    Level: Audit Failure 
    User: N/A
    Computer: DC1.domain.com
    
    A Kerberos authentication ticket (TGT) was requested.
    
    Account Information:
    Account Name:		  AdminAccount
    Supplied Realm Name:	  DOMAIN.LOCAL
    User ID:	          NULL SID
    
    Service Information:
    Service Name:		  krbtgt/DOMAIN.LOCAL
    Service ID:		  NULL SID
    
    Network Information:
    Client Address:	          ::1 (LocalHost)
    Client Port:		  0
    
    Additional Information:
    Ticket Options:		  0x40810010
    Result Code:	          0x12
    Ticket Encryption Type:	  0xFFFFFFFF
    Pre-Authentication Type:  -
    
    Certificate Information:
    Certificate Issuer Name:		
    Certificate Serial Number:	
    Certificate Thumbprint:		
    
    Certificate information is only provided if a certificate was used for pre-authentication.
    Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
    We try to capture with Process Monitor, and it didn't capture anything with filtering the username.

    Thanks and regards.-

    Monday, February 13, 2017 4:29 PM

All replies

  • Hi,

    According to my research, the code 0X12 means client’s credentials have been revoked. This might be because of an explicit disabling or because of other restrictions in place on the account. For example: account disabled, expired, or locked out.

    4768(S, F): A Kerberos authentication ticket (TGT) was requested.

    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4768?f=255&MSPPError=-2147217396

    And from the network information in the event log, Client Address: ::1 means the request is from localhost. Client Port 0 for local (localhost) requests.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Todd Heron Wednesday, February 15, 2017 1:35 PM
    Tuesday, February 14, 2017 8:55 AM
    Moderator
  • Hi, Alvwan

    You're right, but the error technet does not report how you can solve this problem with a disabled account was domain admin.

    Is very strange this behavior.

    Best Regards.-

    Tuesday, February 14, 2017 12:37 PM
  • Hi

     You can disable or stop the audit Event 4768 by removing success and failure audit of Kerberos Authentication Service subcategory by using the following command;

    auditpol /set /subcategory:"Kerberos Authentication Service" /success:disable

    Also check for details;

    http://www.morgantechspace.com/2014/05/Event-ID-4768-A-Kerberos-authentication-ticket-was-requested.html


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, February 14, 2017 3:24 PM
  • Hi, Burak Ugur

    I dont wanna disable the Aduit event 4768, because is usefull to detect TGT requested.

    You know any help to fix this?

    Best Regards.-

    Wednesday, February 15, 2017 8:52 PM
  • Hi,

    According to my research, this has often been traced back to a service running on a server under a user account so try checking services.msc.  Also check scheduled tasks and see if there is one set up to run under that user account.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 21, 2017 6:21 AM
    Moderator
  • Hi,

    I checking for services and Scheduled Task without any result about the account disable.

    Best Regards.-

    Wednesday, February 22, 2017 5:37 PM
  • Hi,

    Currently I have no ideas or suitable ways to figure out the root cause of this Event ID. I will keep researching and give you an update if there is any useful information.

    It is also appreciated that the other members in our forum can share their experience with us about this scenario.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 24, 2017 8:53 AM
    Moderator