Event ID: 4769

A Kerberos service ticket was requested

A Kerberos service ticket was requested.

Account Information:
    Account Name:       %1
    Account Domain:     %2
    Logon GUID:         %10

Service Information:
    Service Name:       %3
    Service ID:         %4

Network Information:
    Client Address:     %7
    Client Port:        %8

Additional Information:
    Ticket Options:         %5
    Ticket Encryption Type: %6
    Failure Code:           %9
    Transited Services:     %11

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

Generated every time Key Distribution Center gets a Kerberos Ticket Granting Service (TGS) ticket request.

Auditing:     Rarely

It's generally not necessary to audit this event although it may help with the detection of unauthorized access.

Volume:     High Very High

ISO 27001:2013 A.12.4.3
NIST 800-171: 3.1.1
CMMC v2 L1: AC.L1-3.1.1
NIST SP 800-53: AC-2
HIPAA: 164.308 (a)(5)(ii)(C)

Microsoft Documentation

Event ID - 4769

Name Field Insertion String OS Example
Account Name TargetUserName %1 Any jack.jackson@somedomain.local
Account Domain TargetDomainName %2 Any somedomain.local
Service Name ServiceName %3 Any SERVER30$
Service ID ServiceSid %4 Any SOMEDOMAIN\SERVER30$
Ticket Options TicketOptions %5 Any 0x40810000
Ticket Encryption Type TicketEncryptionType %6 Any View Codes
Client Address IpAddress %7 Any ::ffff:
Client Port IpPort %8 Any 49876
Failure Code Status %9 Any View Codes
Logon GUID LogonGuid %10 Any {F85C455E-C66E-205C-6B39-F6C60A7FE453}
Transited Services TransmittedServices %11 Any -

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Kerberos Service Ticket Operations"

LEFT/RIGHT arrow keys for navigation

Back to List