Event ID: 4769

A Kerberos service ticket was requested 

A Kerberos service ticket was requested.

Account Information:
    Account Name:       %1
    Account Domain:     %2
    Logon GUID:         %10

Service Information:
    Service Name:       %3
    Service ID:         %4

Network Information:
    Client Address:     %7
    Client Port:        %8

Additional Information:
    Ticket Options:         %5
    Ticket Encryption Type: %6
    Failure Code:           %9
    Transited Services:     %11

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.


Generated every time Key Distribution Center gets a Kerberos Ticket Granting Service (TGS) ticket request.

Auditing:     Rarely

It's generally not necessary to audit this event although it may help with the detection of unauthorized access.


Volume:     High Very High


CJIS 5.4.1.1.1
ISO 27001:2013 A.12.4.3
NIST 800-171: 3.1.1
CMMC v2 L1: AC.L1-3.1.1
NIST SP 800-53: AC-2
HIPAA: 164.308 (a)(5)(ii)(C)


Microsoft Documentation

Event ID - 4769



Name Field Insertion String OS Example
Account Name TargetUserName %1 Any jack.jackson@somedomain.local
Account Domain TargetDomainName %2 Any somedomain.local
Service Name ServiceName %3 Any SERVER30$
Service ID ServiceSid %4 Any SOMEDOMAIN\SERVER30$
Ticket Options TicketOptions %5 Any 0x40810000
Ticket Encryption Type TicketEncryptionType %6 Any View Codes
Client Address IpAddress %7 Any ::ffff:10.0.1.160
Client Port IpPort %8 Any 49876
Failure Code Status %9 Any View Codes
Logon GUID LogonGuid %10 Any {F85C455E-C66E-205C-6B39-F6C60A7FE453}
Transited Services TransmittedServices %11 Any -

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Kerberos Service Ticket Operations"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows 2008 Windows 2008 R2 Windows 2012 Windows 2012 R2 Windows 2016 Windows 2019 Windows 2022

Tags:
Domain Controller Audit Success Audit Failure CJIS ISO 27001:2013 HIPAA NIST 800-171 NIST SP 800-53 CMMC L1
Audit Category:
Account Logon

Audit Subcategory:
Kerberos Service Ticket Operations
Legacy Events:
673

Correlated Events:
4624 4648 4964

LEFT/RIGHT arrow keys for navigation

Back to List