Windows Security Log Event ID 4771
Operating Systems Windows Server 2008
Category
 • Subcategory
Account Logon
 • Kerberos Authentication Service
Type Failure
Corresponding events
in Windows 2003
and before
675  
Discussions on Event ID 4771
4771 multiple logs for one event
4771 0x18 Account Lockout from our DNS Server
4771 0x18 Account Lockout
How can I filter 4771 events to a specific user
I have many event 4771 and account lock outs.

4771: Kerberos pre-authentication failed

On this page

This event is logged on domain controllers only and only failure instances of this event are logged.

At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT. If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID  4768 (authentication ticket granted).  

If the ticket request fails Windows will either log this event, failure 4771, or 4768 if the problem arose during "pre-authentication".  In Windows Kerberos, password verification takes place during pre-authentication.

The User field for this event (and all other events in the Audit account logon event category) doesn't help you determine who the user was; the field always reads N/A. Rather look at the Account Information: fields, which identify the user who logged on and the user account's DNS suffix. The User ID field provides the SID of the account. 

Windows logs other instances of event ID 4768 when a computer in the domain needs to authenticate to the DC typically when a workstation boots up or a server restarts. In these instances, you'll find a computer name in the User Name and fields. Computer generated kerberos events are always identifiable by the $ after the computer account's name.

Result codes:

Result code Kerberos RFC description Notes on common failure codes
0x1 Client's entry in database has expired  
0x2 Server's entry in database has expired  
0x3 Requested protocol version # not supported  
0x4 Client's key encrypted in old master key  
0x5 Server's key encrypted in old master key  
0x6 Client not found in Kerberos database Bad user name, or new computer/user account has not replicated to DC yet
0x7 Server not found in Kerberos database  New computer account has not replicated yet or computer is pre-w2k
0x8 Multiple principal entries in database  
0x9 The client or server has a null key  administrator should reset the password on the account
0xA Ticket not eligible for postdating  
0xB Requested start time is later than end time  
0xC KDC policy rejects request Workstation restriction
0xD KDC cannot accommodate requested option  
0xE KDC has no support for encryption type  
0xF KDC has no support for checksum type  
0x10 KDC has no support for padata type  
0x11 KDC has no support for transited type  
0x12 Clients credentials have been revoked Account disabled, expired, locked out, logon hours.
0x13 Credentials for server have been revoked  
0x14 TGT has been revoked  
0x15 Client not yet valid - try again later  
0x16 Server not yet valid - try again later  
0x17 Password has expired The user’s password has expired.
0x18 Pre-authentication information was invalid Usually means bad password
0x19 Additional pre-authentication required*  
0x1F Integrity check on decrypted field failed  
0x20 Ticket expired Frequently logged by computer accounts
0x21 Ticket not yet valid  
0x21 Ticket not yet valid  
0x22 Request is a replay  
0x23 The ticket isn't for us  
0x24 Ticket and authenticator don't match  
0x25 Clock skew too great Workstation’s clock too far out of sync with the DC’s
0x26 Incorrect net address  IP address change?
0x27 Protocol version mismatch  
0x28 Invalid msg type  
0x29 Message stream modified  
0x2A Message out of order  
0x2C Specified version of key is not available  
0x2D Service key not available  
0x2E Mutual authentication failed  may be a memory allocation failure
0x2F Incorrect message direction  
0x30 Alternative authentication method required*  
0x31 Incorrect sequence number in message  
0x32 Inappropriate type of checksum in message  
0x3C Generic error (description in e-text)  
0x3D Field is too long for this implementation  

Account Information:

  • Account Name:  logon name of the account that just authenticated
  • Supplied Realm Name: domain name of the account
  • User ID:   SID of the account 

Service Information:

  • Service Name:  always "krbtgt"
  • Service ID:

Network Information:

  • Client Address:  IP address where user is present
  • Client Port:  source port

Additional Information:

  • Ticket Options:  unknown.  Please start a discussion if you have information to share on this field.
  • Failure Code:  error if any - see table above 
  • Pre-Authentication Type: unknown.  Please start a discussion if you have information to share on this field.

Certificate Information:

This information is only filled in if logging on with a smart card. 

  • Certificate Issuer Name:
  • Certificate Serial Number:
  • Certificate Thumbprint:

 

Top 10 Windows Security Events to Monitor

Kerberos pre-authentication failed.

Account Information:

   Security ID:  ACME\administrator
   Account Name:  Administrator

Service Information:

   Service Name:  krbtgt/acme

Network Information:

   Client Address:  ::ffff:10.42.42.224
   Client Port:  50950

Additional Information:

   Ticket Options:  0x40810010
   Failure Code:  0x18
   Pre-Authentication Type: 2

Certificate Information:

   Certificate Issuer Name: 
   Certificate Serial Number: 
   Certificate Thumbprint: 

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this



Training for the Windows Security Log