none
Event ID 4768 | Result Code 0x12

    Question

  • We have an old Domain Admin account that we're retiring, the account has been disabled but seems to be requesting Kerberos tickets from one of the DCs, how can we track where or what is still using this account.

    Below is the Event ID being generated:

    Log Name: Security 
    Source: Microsoft-Windows-Security-Auditing 
    Logged: 12/20/2016 16:54:53 
    Event ID: 4768 
    Level: Audit Failure 
    User: 
    Computer: DC3.domain.com 
    
    A Kerberos authentication ticket (TGT) was requested. 
    
    Account Information: 
    Account Name: AdminAcct
    Supplied Realm Name: domain.com 
    User ID: S-1-0-0 
    
    Service Information: 
    Service Name: krbtgt/domain.com 
    Service ID: S-1-0-0 
    
    Network Information: 
    Client Address: ::1 
    Client Port: 0 
    
    Additional Information: 
    Ticket Options: 0x40810010 
    Result Code: 0x12 
    Ticket Encryption Type: 0xffffffff 
    Pre-Authentication Type: - 
    
    Certificate Information: 
    Certificate Issuer Name: 
    Certificate Serial Number: 
    Certificate Thumbprint: 
    
    Certificate information is only provided if a certificate was used for pre-authentication. 
    
    Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. 


    • Edited by Stryker801 Wednesday, December 21, 2016 11:37 PM
    Wednesday, December 21, 2016 11:34 PM

All replies

  • Hi,
    From Network Information in the event log, Client Address: ::1 means the request is from localhost. Client Port 0 for local (localhost) requests, also. Please see: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4768
    So please check if the request is from DC3, and f the disabled account is cached on the DC3 somewhere.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Thursday, December 22, 2016 5:29 AM
    Moderator
  • Hi thanks for the response.

    It appears the request is coming from DC3; we have rebooted the server but the request is still occurring, how can I track what is still using the account? 

    Thursday, December 22, 2016 4:14 PM
  • Hi,
    I would have a try to use process monitor tool to capture if we are lucky to get the suspected applications which is using the account, you could download the tool from:
    Process Monitor v3.31 https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 26, 2016 1:40 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, December 29, 2016 9:26 AM
    Moderator
  • Hi Wendy,

    Sorry I have been off for the Holidays, I haven't had a chance to try to capture with Process Monitor yet, will try it out and report my findings.

    Tuesday, January 3, 2017 3:53 PM
  • Hi Wendy, I tried capturing using Process Monitor for the UserID filtering for the username, and it didn't capture anything while the event still triggered in the eventviewer.  Any other suggestions?
    Tuesday, January 3, 2017 10:55 PM
  • Hi,

    So strange, let us have a try to clear the cached domain account from domain controller and then reboot the DC to see if it work. You could follow the suggested method from the following article to try it:

    http://serverfault.com/questions/375036/how-can-i-clear-cached-domain-credentials

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 6, 2017 1:23 AM
    Moderator