Event ID: 4768

This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).

A Kerberos authentication ticket (TGT) was requested.

Account Information:
    Account Name:           %1
    Supplied Realm Name:    %2
    User ID:                %3

Service Information:
    Service Name:           %4
    Service ID:             %5

Network Information:
    Client Address:         %10
    Client Port:            %11

Additional Information:
    Ticket Options:             %6
    Result Code:                %7
    Ticket Encryption Type:     %8
    Pre-Authentication Type:    %9

Certificate Information:
    Certificate Issuer Name:    %12
    Certificate Serial Number:  %13
    Certificate Thumbprint:     %14

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).

If TGT issue fails then you will see Failure event with Result Code field not equal to “0x0”.

This event doesn't generate for Result Codes: 0x10, 0x17 and 0x18. Event “4771: Kerberos pre-authentication failed.” generates those instead.

ISO 27001:2013 A.12.4.1
ISO 27001:2013 A.12.4.3
NIST 800-171: 3.1.1
NIST SP 800-53: AC-2
PCI 3.2.1: 10.2.4

This auditing subcategory monitors Kerberos AS_REQ requests.

Microsoft Documentation

Event ID - 4768

Name Field Insertion String OS Example
Account Name TargetUserName %1 Any someadmin
Supplied Realm Name TargetDomainName %2 Any thedomain.local
User ID TargetSid %3 Any THEDOMAIN\someadmin
Service Name ServiceName %4 Any krbtgt
Service ID ServiceSid %5 Any THEDOMAIN\krbtgt
Ticket Options TicketOptions %6 Any 0x40810010
Result Code Status %7 Any View Codes
Ticket Encryption Type TicketEncryptionType %8 Any View Codes
Pre-Authentication Type PreAuthType %9 Any View Codes
Client Address IpAddress %10 Any ::ffff:
Client Port IpPort %11 Any 46754
Certificate Issuer Name CertIssuerName %12 Any thedomain-dc01-ca-1
Certificate Serial Number CertSerialNumber %13 Any 1D0000000D292FBE3C6CDDAFA200020000000D
Certificate Thumbprint CertThumbprint %14 Any 564DFAEE99C71D62ABC553E695BD8DBC46669413

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Kerberos Authentication Service"

LEFT/RIGHT arrow keys for navigation

Back to List