When the Ticket grant ticket (TGT) fails, it will log event Id 4771 log Kerberos pre-authentication failed.
When the user enters his domain username and password into their workstation, the workstation contacts a local domain controller (DC) and requests a Kerberos TGT (ticket-granting ticket).
If the domain username and password are validated and pass the security restriction check, the domain controller (DC) grants, and TGT and logs the event ID 4768.
If the ticket request fails during the Kerberos pre-authentication step, it will raise event ID 4768.
If the request fails to request TGT, the event will be logged to event ID 4771 and recorded on DCs.
The event is not generated if the “Do not require Kerberos pre-authentication” option is set for the account.
In this article, we will discuss event ID 4771, information about event ID 4771, and result codes.
Table of Contents
hide
Event ID 4771 Information
Let’s understand event ID 4771 in detail with its fields.
Event Id 4771 XML format
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{62736363-7623-8273-B5CA-2E3C0352D30E}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-01-22T18:10:21.495462300Z" />
<EventRecordID>16708</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1084" />
<Channel>Security</Channel>
<Computer>DC01.ShellGeek.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">admin</Data>
<Data Name="TargetSid">S-1-4-21-2637363212-72736362722-73374747474-1288</Data>
<Data Name="ServiceName">krbtgt/SHELLGEEK.LOCAL</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x10</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:10.101.22.112</Data>
<Data Name="IpPort">46272</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>Cool Tip: How to convert XML to CSV file in the PowerShell!
Fields Description:
Account Information
- Security ID: Security ID for an account for which a TGT ticket was requested.
- Account Name: The name of the account for which a TGT ticket was requested. for example, the admin.
Service Information
- Service Name: The name of the service in the Kerberos Realm to which the TGT request was sent. For example krbtgt/SHELLGEEK.LOCAL
Network Information
- Client Address: IP address of the computer from which the TGT request was received. For example: :: ffff:10.101.22.112
- Client Port: source port number of client network connection (TGT request connection). For example: 46272
Additional Information
- Ticket Options: This set of different Ticket Flags is in hexadecimal format. For example: 0x40810010
The most common values:
- 0x40810010 – Forwardable, Renewable, Canonicalize, Renewable-ok
- 0x40810000 – Forwardable, Renewable, Canonicalize
- 0x60810010 – Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok
Cool Tip: Event Id 4634 – An Account was logged off!
The ticket flags are listed in the below table.
| Bit | Flag Name | Description |
|---|---|---|
| 0 | Reserved | – |
| 1 | Forwardable | (TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT. |
| 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. |
| 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. |
| 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. |
| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in KILE (Microsoft Kerberos Protocol Extension). |
| 6 | Postdated | Postdated tickets SHOULD NOT be supported in KILE (Microsoft Kerberos Protocol Extension). |
| 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets that have this flag set. |
| 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. |
| 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. |
| 10 | By default, the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor the DISABLE-TRANSITED-CHECK option. Should not be in use, because Transited-policy-checked flag is not supported by KILE. | Indicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon. |
| 11 | Opt-hardware-auth | This flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC. |
| 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. |
| 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. |
| 14 | Request-anonymous | KILE does not use this flag. |
| 15 | Name-canonicalize | To request referrals, the Kerberos client MUST explicitly request the “canonicalize” KDC option for the AS-REQ or TGS-REQ. |
| 16-25 | Unused | – |
| 26 | Disable-transited-check | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the data field as part of the authentication header. |
| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. |
| 28 | Enc-tkt-in-skey | No information. |
| 29 | Unused | – |
| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. |
| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. |
Cool Tip: Event Id 4776 Code 0xc0000234 – Fix to find the source of the attempt!
- Failure Code: Hexadecimal failure code of failed TGT issue operation. The below table lists failure error codes.
| Code | Code Name | Description | Possible causes |
|---|---|---|---|
| 0x0 | KDC_ERR_NONE | No error | |
| 0x1 | KDC_ERR_NAME_EXP | The server’s entry in database has expired | |
| 0x2 | KDC_ERR_SERVICE_EXP | The client’s key is encrypted in the old master key | |
| 0x3 | KDC_ERR_BAD_PVNO | The requested protocol version number is not supported | |
| 0x4 | KDC_ERR_C_OLD_MAST_KVNO | The server’s key is encrypted in the old master key | |
| 0x5 | KDC_ERR_S_OLD_MAST_KVNO | Multiple principal entries in the database | |
| 0x6 | KDC_ERR_C_PRINCIPAL_UNKNOWN | Client not found in Kerberos database | |
| 0x7 | KDC_ERR_S_PRINCIPAL_UNKNOWN | Server not found in Kerberos database | |
| 0x8 | KDC_ERR_PRINCIPAL_NOT_UNIQUE | The requested start is later than the end time | |
| 0x9 | KDC_ERR_NULL_KEY | The client or server has a null key | |
| 0xa | KDC_ERR_CANNOT_POSTDATE | Ticket not eligible for postdating | |
| 0xb | KDC_ERR_NEVER_VALID | KDC policy rejects the request | |
| 0xc | KDC_ERR_POLICY | KDC cannot accommodate the requested option | |
| 0xd | KDC_ERR_BADOPTION | Client credentials have been revoked | |
| 0xe | KDC_ERR_ETYPE_NOSUPP | KDC has no support for encryption type | |
| 0xf | KDC_ERR_SUMTYPE_NOSUPP | KDC has no support for checksum type | |
| 0x10 | KDC_ERR_PADATA_TYPE_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller. It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates). |
| 0x11 | KDC_ERR_TRTYPE_NOSUPP | KDC has no support for transited type | |
| 0x12 | KDC_ERR_CLIENT_REVOKED | Credentials for the server have been revoked | |
| 0x13 | KDC_ERR_SERVICE_REVOKED | The requested server and ticket don’t match | |
| 0x14 | KDC_ERR_TGT_REVOKED | TGT has been revoked | |
| 0x15 | KDC_ERR_CLIENT_NOTYET | The client is not yet valid; try again later | |
| 0x16 | KDC_ERR_SERVICE_NOTYET | The server is not yet valid; try again later | |
| 0x17 | KDC_ERR_KEY_EXPIRED | Password has expired—change password to reset | The user’s password has expired. |
| 0x18 | KDC_ERR_PREAUTH_FAILED | Pre-authentication information was invalid | The wrong password was provided. |
| 0x19 | KDC_ERR_PREAUTH_REQUIRED | Additional pre-authentication required | |
| 0x1a | KDC_ERR_SERVER_NOMATCH | KDC Policy rejects the transited path | |
| 0x1b | KDC_ERR_MUST_USE_USER2USER | Server principal valid for user2user only | |
| 0x1c | KDC_ERR_PATH_NOT_ACCEPTED | The request is a replay | |
| 0x1d | KDC_ERR_SVC_UNAVAILABLE | A service is not available | |
| 0x1f | KRB_AP_ERR_BAD_INTEGRITY | Integrity check on decrypted field failed | |
| 0x20 | KRB_AP_ERR_TKT_EXPIRED | Ticket expired | |
| 0x21 | KRB_AP_ERR_TKT_NYV | Ticket not yet valid | |
| 0x22 | KRB_AP_ERR_REPEAT | The ticket and authenticator don’t match | |
| 0x23 | KRB_AP_ERR_NOT_US | The ticket isn’t for us | |
| 0x24 | KRB_AP_ERR_BADMATCH | Invalid msg-type | |
| 0x25 | KRB_AP_ERR_SKEW | The clock skews too great | |
| 0x26 | KRB_AP_ERR_BADADDR | Incorrect net address | |
| 0x27 | KRB_AP_ERR_BADVERSION | Protocol version mismatch | |
| 0x28 | KRB_AP_ERR_MSG_TYPE | A specified version of key is not available | |
| 0x29 | KRB_AP_ERR_MODIFIED | Message stream modified | |
| 0x2a | KRB_AP_ERR_BADORDER | Message out of order | |
| 0x2c | KRB_AP_ERR_BADKEYVER | An alternative authentication method required | |
| 0x2d | KRB_AP_ERR_NOKEY | Service key not available | |
| 0x2e | KRB_AP_ERR_MUT_FAIL | Mutual authentication failed | |
| 0x2f | KRB_AP_ERR_BADDIRECTION | Incorrect message direction | |
| 0x30 | KRB_AP_ERR_METHOD | The field is too long for this implementation | |
| 0x31 | KRB_AP_ERR_BADSEQ | The incorrect sequence number in the message | |
| 0x32 | KRB_AP_ERR_INAPP_CKSUM | Inappropriate type of checksum in message | |
| 0x33 | KRB_AP_PATH_NOT_ACCEPTED | Policy rejects transited path | |
| 0x34 | KRB_ERR_RESPONSE_TOO_BIG | Response too big for UDP; retry with TCP | |
| 0x3c | KRB_ERR_GENERIC | Generic error (description in e-text) | |
| 0x3d | KRB_ERR_FIELD_TOOLONG | The ticket must be for USER-TO-USER | |
| 0x3e | KDC_ERROR_CLIENT_NOT_TRUSTED | Reserved for PKINIT | |
| 0x3f | KDC_ERROR_KDC_NOT_TRUSTED | Reserved for PKINIT | |
| 0x40 | KDC_ERROR_INVALID_SIG | Reserved for PKINIT | |
| 0x41 | KDC_ERR_KEY_TOO_WEAK | Reserved for PKINIT | |
| 0x42 | KDC_ERR_CERTIFICATE_MISMATCH | Reserved for PKINIT | |
| 0x43 | KRB_AP_ERR_NO_TGT | No TGT available to validate USER-TO-USER | |
| 0x44 | KDC_ERR_WRONG_REALM | Reserved for future use | |
| 0x45 | KRB_AP_ERR_USER_TO_USER_REQUIRED | Ticket must be for USER-TO-USER | |
| 0x46 | KDC_ERR_CANT_VERIFY_CERTIFICATE | Reserved for PKINIT | |
| 0x47 | KDC_ERR_INVALID_CERTIFICATE | Reserved for PKINIT | |
| 0x48 | KDC_ERR_REVOKED_CERTIFICATE | Reserved for PKINIT | |
| 0x49 | KDC_ERR_REVOCATION_STATUS_UNKNOWN | Reserved for PKINIT | |
| 0x4a | KDC_ERR_REVOCATION_STATUS_UNAVAILABLE | Reserved for PKINIT | |
| 0x4b | KDC_ERR_CLIENT_NAME_MISMATCH | Reserved for PKINIT | |
| 0x4c | KDC_ERR_KDC_NAME_MISMATCH | Reserved for PKINIT |
Cool Tip: How to manipulate Active Directory UserAccountControl flags in PowerShell!
- Pre-Authentication Type: The code of the pre-authentication type used in the TGT request.
Kerberos Pre-authentication types are listed in the below table
| Type | Type Name | Description |
|---|---|---|
| 0 | – | Logon without Pre-Authentication. |
| 2 | PA-ENC-TIMESTAMP | This type is normal for standard password authentication. |
| 11 | PA-ETYPE-INFO | The ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value. Never saw this Pre-Authentication Type in Microsoft Active Directory environment. |
| 15 | PA-PK-AS-REP_OLD | Used for Smart Card logon authentication. |
| 16 | PA-PK-AS-REQ | Request sent to KDC in Smart Card authentication scenarios. |
| 17 | PA-PK-AS-REP | This type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen. |
| 19 | PA-ETYPE-INFO2 | The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value. Never saw this Pre-Authentication Type in the Microsoft Active Directory environment. |
| 20 | PA-SVR-REFERRAL-INFO | Used in KDC Referrals tickets. |
| 138 | PA-ENCRYPTED-CHALLENGE | Logon using Kerberos Armoring (FAST). Supported starting from Windows Server 2012 domain controllers and Windows 8 clients. |
Certification Information
- Certificate Issuer Name: The name of the Certification Authority that issued the smart card certificate. It always remains empty for 4771 events.
- Certificate Serial Number: Smart card certificate’s serial number.
- Certificate Thumbprint: Smart card certificate’s thumbprint.
Cool Tip: Event Id 4625 Status Code 0xc000006a – Fix to find the source of the attempt!
Conclusion
In the above article about event ID 4771, we discuss event ID 4771 information, its fields, and the codes used in events.
As a best practice, monitor the client’s IP address if it is from within your internal IP range or outside.
You can set an alert or trigger if the client IP or account name is not from your organization. It will help you to secure machines in the domain.
Cool Tip: Event Id 4670 – Permissions on an object were changed!
This article refers to the official Microsoft KB article for error code. You can find more Kerberos ticket error codes and failure error codes in the official Microsoft KB article.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.
You can read more on other Windows security and system event logs as given: