Event ID: 4768

This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).

A Kerberos authentication ticket (TGT) was requested.

Account Information:
    Account Name:           %1
    Supplied Realm Name:    %2
    User ID:                %3

Service Information:
    Service Name:           %4
    Service ID:             %5

Network Information:
    Client Address:         %10
    Client Port:            %11

Additional Information:
    Ticket Options:             %6
    Result Code:                %7
    Ticket Encryption Type:     %8
    Pre-Authentication Type:    %9

Certificate Information:
    Certificate Issuer Name:    %12
    Certificate Serial Number:  %13
    Certificate Thumbprint:     %14

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).

If TGT issue fails then you will see Failure event with Result Code field not equal to “0x0”.

This event doesn't generate for Result Codes: 0x10, 0x17 and 0x18. Event “4771: Kerberos pre-authentication failed.” generates those instead.

CJIS 5.4.1.1.1
ISO 27001:2013 A.12.4.1
ISO 27001:2013 A.12.4.3
NIST 800-171: 3.1.1
CMMC L1
NIST SP 800-53: AC-2
PCI 3.2.1: 10.2.4

This auditing subcategory monitors Kerberos AS_REQ requests.

Microsoft Documentation

Event ID - 4768

	Field	Insertion String	OS	Example
Account Name	TargetUserName	%1	Any	someadmin
Supplied Realm Name	TargetDomainName	%2	Any	thedomain.local
User ID	TargetSid	%3	Any	THEDOMAIN\someadmin
Service Name	ServiceName	%4	Any	krbtgt
Service ID	ServiceSid	%5	Any	THEDOMAIN\krbtgt
Ticket Options	TicketOptions	%6	Any	0x40810010
Result Code	Status	%7	Any	View Codes
Ticket Encryption Type	TicketEncryptionType	%8	Any	View Codes
Pre-Authentication Type	PreAuthType	%9	Any	View Codes
Client Address	IpAddress	%10	Any	::ffff:192.168.112.14
Client Port	IpPort	%11	Any	46754
Certificate Issuer Name	CertIssuerName	%12	Any	thedomain-dc01-ca-1
Certificate Serial Number	CertSerialNumber	%13	Any	1D0000000D292FBE3C6CDDAFA200020000000D
Certificate Thumbprint	CertThumbprint	%14	Any	564DFAEE99C71D62ABC553E695BD8DBC46669413

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:"Kerberos Authentication Service"

How to enable Windows Auditing

Recommended Audit Policy

Operating Systems:

Windows 2008 Windows 2008 R2 Windows 2012 Windows 2012 R2 Windows 2016 Windows 2019 Windows 2022

Tags:

Domain Controller Audit Success Audit Failure CJIS ISO 27001:2013 PCI-DSS NIST 800-171 NIST SP 800-53

Audit Category:

Account Logon

Audit Subcategory:

Kerberos Authentication Service

Legacy Events:

672 676

LEFT/RIGHT arrow keys for navigation

Back to List