Event ID: 4769

A Kerberos service ticket was requested

A Kerberos service ticket was requested.

Account Information:
    Account Name:       %1
    Account Domain:     %2
    Logon GUID:         %10

Service Information:
    Service Name:       %3
    Service ID:         %4

Network Information:
    Client Address:     %7
    Client Port:        %8

Additional Information:
    Ticket Options:         %5
    Ticket Encryption Type: %6
    Failure Code:           %9
    Transited Services:     %11

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.
Microsoft Documentation

Event ID - 4769


Recommended Auditing
It's generally not necessary to audit this event although it may help with the detection of unauthorized access.

Volume
High


Generated every time Key Distribution Center gets a Kerberos Ticket Granting Service (TGS) ticket request.



Name Field Insertion String OS Example
Account Name TargetUserName %1 Any jack.jackson@somedomain.local
Account Domain TargetDomainName %2 Any somedomain.local
Service Name ServiceName %3 Any SERVER30$
Service ID ServiceSid %4 Any SOMEDOMAIN\SERVER30$
Ticket Options TicketOptions %5 Any 0x40810000
Ticket Encryption Type TicketEncryptionType %6 Any View Codes
Client Address IpAddress %7 Any ::ffff:10.0.1.160
Client Port IpPort %8 Any 49876
Failure Code Status %9 Any View Codes
Logon GUID LogonGuid %10 Any {F85C455E-C66E-205C-6B39-F6C60A7FE453}
Transited Services TransmittedServices %11 Any -


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Kerberos Service Ticket Operations"
How to enable Windows Auditing



LEFT/RIGHT arrow keys for navigation

Back to List