Windows Security Log Event ID 672

672: Authentication Ticket Granted

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

This event varies depending on the OS.

Win2000

This event gets logged on domain controllers only.

At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT. If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID 672 (authentication ticket granted). The User field for this event (and all other events in the Audit account logon event category) doesn't help you determine who the user was; the field always reads SYSTEM. Rather look at the User Name and Supplied Realm Name fields, which identify the user who logged on and the user account's DNS suffix. The User ID field provides the same information in NT style.

Client Address identifies the IP address of the workstation from which the user logged on.

W2k logs other instances of event ID 672 when a computer in the domain needs to authenticate to the DC typically when a workstation boots up or a server restarts. In these instances, you'll find a computer name in the User Name and User ID fields. Computer generated kerberos events are always identifiable by the $ after the computer account's name.

Win2003

This event is logged on domain controllers only and both success and failure instances of this event are logged.

At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT. If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID 672 (authentication ticket granted). The User field for this event (and all other events in the Audit account logon event category) doesn't help you determine who the user was; the field always reads SYSTEM. Rather look at the User Name and Supplied Realm Name fields, which identify the user who logged on and the user account's DNS suffix. The User ID field provides the same information in NT style.

Client Address identifies the IP address of the workstation from which the user logged on.

W2k logs other instances of event ID 672 when a computer in the domain needs to authenticate to the DC typically when a workstation boots up or a server restarts. In these instances, you'll find a computer name in the User Name and User ID fields. Computer generated kerberos events are always identifiable by the $ after the computer account's name.

In W2k failed authentication ticket requests generate event ID 676 but in W3 this event is used for both success and failed requests. The reason for the authentication failure is specified in Result Code.

Microsoft's Comments:

Does not contain any additional information if audit details from logon events 528 and 540 are already being collected. This event records that a Kerberos TGT was granted, actual access will not occur until a service ticket is granted, which is audited by Event 673. If the PATYPE is PKINIT, the logon was a smart card logon.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 672

Server 2003:

•  User Name:  %1
•  Supplied Realm Name: %2
•  User ID:   %3
•  Service Name:  %4
•  Service ID:  %5
•  Ticket Options:  %6
•  Result Code:  %7
•  Ticket Encryption Type: %8
•  Pre-Authentication Type: %9
•  Client Address:  %10
•  Certificate Issuer Name: %11
•  Certificate Serial Number: %12
•  Certificate Thumbprint: %13

Supercharger Enterprise

Load Balancing for Windows Event Collection

 

Mini-Seminars Covering Event ID 672 Insider Gone Bad: Tracking Their Steps and Building Your Case with the Security Log Real Methods for Detecting True Advanced Persistent Threats Using Logs

 

Upcoming Webinars Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy