Home » PowerShell » Event Id 4771 – Kerberos pre-authentication failed

Event Id 4771 – Kerberos pre-authentication failed

When the Ticket grant ticket (TGT) failed, it will log event Id 4771 log Kerberos pre-authentication failed.

When the user enters his domain username and password into their workstation, the workstation contacts a local domain controller (DC) and requests a Kerberos TGT (ticket-granting ticket).

If the domain username and password are validated and pass the security restriction check, the domain controller (DC) grants, and TGT and logs the event ID 4768.

If the ticket request fails during Kerberos pre-authentication step, it will raise event ID 4768.

If the request fails to request TGT, the event will be logged to event ID 4771 and recorded on DCs.

Event is not generated if the “Do not require Kerberos preauthentication” option is set for the account.

In this article, we will discuss event Id 4771, information about event ID 4771, and result codes.

Event ID 4771 Information

Let’s understand event ID 4771 in detail with its fields.

Event Id 4771 XML format

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{62736363-7623-8273-B5CA-2E3C0352D30E}" /> 
 <TimeCreated SystemTime="2022-01-22T18:10:21.495462300Z" /> 
 <Correlation /> 
 <Execution ProcessID="520" ThreadID="1084" /> 
 <Security /> 
- <EventData>
 <Data Name="TargetUserName">admin</Data> 
 <Data Name="TargetSid">S-1-4-21-2637363212-72736362722-73374747474-1288</Data> 
 <Data Name="ServiceName">krbtgt/SHELLGEEK.LOCAL</Data> 
 <Data Name="TicketOptions">0x40810010</Data> 
 <Data Name="Status">0x10</Data> 
 <Data Name="PreAuthType">15</Data> 
 <Data Name="IpAddress">::ffff:</Data> 
 <Data Name="IpPort">46272</Data> 
 <Data Name="CertIssuerName" /> 
 <Data Name="CertSerialNumber" /> 
 <Data Name="CertThumbprint" /> 

Cool Tip: How to convert XML to CSV file in the PowerShell!

Fields Description:

Account Information

  • Security Id: Security ID for an account for which a TGT ticket was requested.
  • Account Name: The name of the account for which a TGT ticket was requested. for example, admin

Service Information

  • Service Name: The name of the service in the Kerberos Realm to which the TGT request was sent. For example krbtgt/SHELLGEEK.LOCAL

Network Information

  • Client Address: IP address of the computer from which the TGT request was received. For example: :: ffff:
  • Client Port: source port number of client network connection (TGT request connection). For example: 46272

Additional Information

  • Ticket Options: This set of different Ticket Flags is in hexadecimal format. For example: 0x40810010

The most common values:

  • 0x40810010 – Forwardable, Renewable, Canonicalize, Renewable-ok
  • 0x40810000 – Forwardable, Renewable, Canonicalize
  • 0x60810010 – Forwardable, Forwarded, Renewable, Canonicalize, Renewable-ok

Cool Tip: Event Id 4634 – An Account was logged off!

The ticket flags are listed in below table

BitFlag NameDescription
1Forwardable(TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT.
2ForwardedIndicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT.
3Proxiable(TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT.
4ProxyIndicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket.
5Allow-postdatePostdated tickets SHOULD NOT be supported in KILE (Microsoft Kerberos Protocol Extension).
6PostdatedPostdated tickets SHOULD NOT be supported in KILE (Microsoft Kerberos Protocol Extension).
7InvalidThis flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets that have this flag set.
8RenewableUsed in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically.
9InitialIndicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT.
10Pre-authentIndicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon.
11Opt-hardware-authThis flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC.
12Transited-policy-checkedKILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag.
13Ok-as-delegateThe KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation.
14Request-anonymousKILE does not use this flag.
15Name-canonicalizeTo request referrals, the Kerberos client MUST explicitly request the “canonicalize” KDC option for the AS-REQ or TGS-REQ.
26Disable-transited-checkBy default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor
Should not be in use, because Transited-policy-checked flag is not supported by KILE.
27Renewable-okThe RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server.
28Enc-tkt-in-skeyNo information.
30RenewThe RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header.
31ValidateThis option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE.
Kerberos Ticket Flags

Cool Tip: Event Id 4776 Code 0xc0000234 – Fix to find the source of attempt!

  • Failure Code: Hexadecimal failure code of failed TGT issue operation. Below table listed failure error codes.
CodeCode NameDescriptionPossible causes
0x0KDC_ERR_NONENo error
0x1KDC_ERR_NAME_EXPClient’s entry in database has expired
0x2KDC_ERR_SERVICE_EXPServer’s entry in database has expired
0x3KDC_ERR_BAD_PVNORequested protocol version number not supported
0x4KDC_ERR_C_OLD_MAST_KVNOClient’s key encrypted in old master key
0x5KDC_ERR_S_OLD_MAST_KVNOServer’s key encrypted in old master key
0x6KDC_ERR_C_PRINCIPAL_UNKNOWNClient not found in Kerberos database
0x7KDC_ERR_S_PRINCIPAL_UNKNOWNServer not found in Kerberos database
0x8KDC_ERR_PRINCIPAL_NOT_UNIQUEMultiple principal entries in database
0x9KDC_ERR_NULL_KEYThe client or server has a null key
0xaKDC_ERR_CANNOT_POSTDATETicket not eligible for postdating
0xbKDC_ERR_NEVER_VALIDRequested starttime is later than end time
0xcKDC_ERR_POLICYKDC policy rejects request
0xdKDC_ERR_BADOPTIONKDC cannot accommodate requested option
0xeKDC_ERR_ETYPE_NOSUPPKDC has no support for encryption type
0xfKDC_ERR_SUMTYPE_NOSUPPKDC has no support for checksum type
0x10KDC_ERR_PADATA_TYPE_NOSUPPKDC has no support for PADATA type (pre-authentication data)Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).
0x11KDC_ERR_TRTYPE_NOSUPPKDC has no support for transited type
0x12KDC_ERR_CLIENT_REVOKEDClients credentials have been revoked
0x13KDC_ERR_SERVICE_REVOKEDCredentials for server have been revoked
0x14KDC_ERR_TGT_REVOKEDTGT has been revoked
0x15KDC_ERR_CLIENT_NOTYETClient not yet valid; try again later
0x16KDC_ERR_SERVICE_NOTYETServer not yet valid; try again later
0x17KDC_ERR_KEY_EXPIREDPassword has expired—change password to resetThe user’s password has expired.
0x18KDC_ERR_PREAUTH_FAILEDPre-authentication information was invalidThe wrong password was provided.
0x19KDC_ERR_PREAUTH_REQUIREDAdditional pre-authentication required
0x1aKDC_ERR_SERVER_NOMATCHRequested server and ticket don’t match
0x1bKDC_ERR_MUST_USE_USER2USERServer principal valid for user2user only
0x1cKDC_ERR_PATH_NOT_ACCEPTEDKDC Policy rejects transited path
0x1dKDC_ERR_SVC_UNAVAILABLEA service is not available
0x1fKRB_AP_ERR_BAD_INTEGRITYIntegrity check on decrypted field failed
0x20KRB_AP_ERR_TKT_EXPIREDTicket expired
0x21KRB_AP_ERR_TKT_NYVTicket not yet valid
0x22KRB_AP_ERR_REPEATRequest is a replay
0x23KRB_AP_ERR_NOT_USThe ticket isn’t for us
0x24KRB_AP_ERR_BADMATCHTicket and authenticator don’t match
0x25KRB_AP_ERR_SKEWClock skew too great
0x26KRB_AP_ERR_BADADDRIncorrect net address
0x27KRB_AP_ERR_BADVERSIONProtocol version mismatch
0x28KRB_AP_ERR_MSG_TYPEInvalid msg type
0x29KRB_AP_ERR_MODIFIEDMessage stream modified
0x2aKRB_AP_ERR_BADORDERMessage out of order
0x2cKRB_AP_ERR_BADKEYVERSpecified version of key is not available
0x2dKRB_AP_ERR_NOKEYService key not available
0x2eKRB_AP_ERR_MUT_FAILMutual authentication failed
0x2fKRB_AP_ERR_BADDIRECTIONIncorrect message direction
0x30KRB_AP_ERR_METHODAlternative authentication method required
0x31KRB_AP_ERR_BADSEQIncorrect sequence number in message
0x32KRB_AP_ERR_INAPP_CKSUMInappropriate type of checksum in message
0x33KRB_AP_PATH_NOT_ACCEPTEDPolicy rejects transited path
0x34KRB_ERR_RESPONSE_TOO_BIGResponse too big for UDP; retry with TCP
0x3cKRB_ERR_GENERICGeneric error (description in e-text)
0x3dKRB_ERR_FIELD_TOOLONGField is too long for this implementation
0x43KRB_AP_ERR_NO_TGTNo TGT available to validate USER-TO-USER
0x44KDC_ERR_WRONG_REALMReserved for future use
Failure Error Code Event Id 4771

Cool Tip: How to manipulate Active Directory UserAccountControl flags in PowerShell!

  • Pre-Authentication Type: The code of pre-authentication type used in TGT request.

Pre-Authentication types are listed in below table

TypeType NameDescription
0Logon without Pre-Authentication.
2PA-ENC-TIMESTAMPThis type is normal for standard password authentication.
11PA-ETYPE-INFOThe ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment.
15PA-PK-AS-REP_OLDUsed for Smart Card logon authentication.
16PA-PK-AS-REQRequest sent to KDC in Smart Card authentication scenarios.
17PA-PK-AS-REPThis type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen.
19PA-ETYPE-INFO2The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in the Microsoft Active Directory environment.
20PA-SVR-REFERRAL-INFOUsed in KDC Referrals tickets.
138PA-ENCRYPTED-CHALLENGELogon using Kerberos Armoring (FAST). Supported starting from Windows Server 2012 domain controllers and Windows 8 clients.
Kerberos Pre-Authentication Types

Certification Information

  • Certificate Issuer Name: The name of Certification Authority that issued smart card certificate. It always remains empty for 4771 events.
  • Certificate Serial Number: Smart card certificate’s serial number. 
  • Certificate Thumbprint: Smart card certificate’s thumbprint.

Cool Tip: Event Id 4625 Status Code 0xc000006a – Fix to find the source of attempt!


In the above article about event Id 4771, we discuss event ID 4771 information, its fields, and their codes used in events.

As a best practice, monitor client IP address if it is from within your internal IP range or outside.

You can set an alert or trigger if the client IP or account name is not from your organization. It will help you to secure machines in the domain.

Cool Tip: Event Id 4670 – Permissions on an object were changed!

This article is referring official Microsoft KB article for error code. You can find more Kerberos ticket error codes and failure error codes on the official Microsoft KB article.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.

You can read more on other windows security and system event logs as given:

Leave a Comment