Event ID: 4776

The computer attempted to validate the credentials for an account

The computer attempted to validate the credentials for an account.

Authentication Package: %1
Logon Account:          %2
Source Workstation:     %3
Error Code:             %4
Microsoft Documentation

Event ID - 4776


Recommended Auditing
It's recommended to always audit events in this sub category on member servers and workstations.

Volume
On member servers and workstation the volume of events is normally low, on domain controllers usually higher.


This event generates every time that a credential validation occurs using NTLM authentication.

This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.

It shows successful and unsuccessful credential validation attempts.

It shows only the computer name (Source Workstation) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you will see CLIENT-1 in the Source Workstation field. Information about the destination computer (SERVER-1) is not presented in this event.

If a credential validation attempt fails, you will see a Failure event with Error Code parameter value not equal to “0x0”.

The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.

For monitoring local account logon attempts, it is better to use event “4624: An account was successfully logged on” because it contains more details and is more informative.

This event also generates when a workstation unlock event occurs.

This event does not generate when a domain account logs on locally to a domain controller.



Name Field Insertion String OS Example
Authentication Package PackageName %1 Any MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account TargetUserName %2 Any UserName
Source Workstation Workstation %3 Any ComputerName
Error Code Status %4 Any View Codes


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Credential Validation"
How to enable Windows Auditing



LEFT/RIGHT arrow keys for navigation

Back to List