none
Event 4771 hourly since Office 365 2FA Enabled RRS feed

  • Question

  • Since enabling two factor authentication for two of my Office 365 accounts I am noticing that hourly Event 4771 is logged on my domain controllers for these accounts.  No other accounts alert with this event ID.

    I know it has probably something to do with the app password that Office 365 2FA requires you to use, but I cannot figure out how to get it to stop other than disabling 2FA which I do not want to do.

    Additional Information:

                    Ticket Options:                  0x40810010

                    Failure Code:                     0x18

                    Pre-Authentication Type:             2

    Any suggestions

    ANy 
    ANy 
    Thursday, June 13, 2019 12:49 PM

Answers

  • Hi,

    Thank you for your reply.

    With Audit Kerberos Authentication service policy enabled, this event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). 

    This can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 18, 2019 10:00 AM
    Moderator

All replies

  • Hi,

    Thank you for posting here.

    Here are two options we can try to meet you requirement:

    Option 1.

    Disable Audit Kerberos authentication Service policy. With this policy enabled, event 4771 will be generated. For your reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-kerberos-authentication-service 

    The location of this policy:

    Option 2. 

    "This event is not generated if “Do not require Kerberos preauthentication” option is set for the account."

    From https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771

    To set this option, we can navigate to ADUC->specific account->properties->account as captured:

    Hope the information above can be helpful.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, June 14, 2019 7:53 AM
    Moderator
  • I still need to be notified when a failed logon attempt occurs on my network.  

    Why is this happening since 2FA was enabled?

    Monday, June 17, 2019 6:41 PM
  • Hi,

    Thank you for your reply.

    With Audit Kerberos Authentication service policy enabled, this event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). 

    This can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 18, 2019 10:00 AM
    Moderator
  • Hi,

    It's my pleasure that my information was helpful to you.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, June 20, 2019 4:35 AM
    Moderator