Event ID 4820

A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions

A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.

Account Information:
    Account Name:       %1
    Supplied Realm Name:    %2
    User ID:            %3

Authentication Policy Information:
    Silo Name:      %16
    Policy Name:        %17
    TGT Lifetime:       %18

Device Information:
    Device Name:        %4

Service Information:
    Service Name:       %5
    Service ID:     %6

Network Information:
    Client Address:     %11
    Client Port:        %12

Additional Information:
    Ticket Options:     %7
    Result Code:        %8
    Ticket Encryption Type: %9
    Pre-Authentication Type:    %10

Certificate Information:
    Certificate Issuer Name:        %13
    Certificate Serial Number:  %14
    Certificate Thumbprint:     %15

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Name		Field	Insertion String	OS	Example
	Ticket Encryption Type	TicketEncryptionType	%9	Any	View Codes
	Pre-Authentication Type	PreAuthType	%10	Any	View Codes

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:"Kerberos Authentication Service"

How to enable Windows Auditing

Recommended Audit Policy

Operating Systems:

Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:

Domain Controller

Audit Category:

Account Logon

Audit Subcategory:

Kerberos Authentication Service

LEFT/RIGHT arrow keys for navigation

Back to List