Windows Security Log Event ID 4821

Operating Systems Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019
 • Subcategory
 • Other System Events
Type Failure
Corresponding events
in Windows 2003
and before
Discussions on Event ID 4821
Ask a question about this event

4821: A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions

On this page

This event is new to Server 2012 R2. It does not appear in earlier versions.

I haven't been able to produce this event. Have you? If so, please start a discussion (see above) and post a sample along with any comments you may have! Don't forget to sanitize any private information.

Free Security Log Resources by Randy

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.



Examples of 4821

A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.

Account Information:
    Account Name:           %1
    Account Domain:         %2
    Logon GUID:             %11

Authentication Policy Information:
    Silo Name:              %13
    Policy Name:            %14

Device Information:
    Device Name:            %3

Service Information:
    Service Name:           %4
    Service ID:             %5

Network Information:
    Client Address:         %8
    Client Port:            %9

Additional Information:
    Ticket Options:         %6
    Ticket Encryption Type: %7
    Failure Code:           %10
    Transited Services:     %12

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

Keep me up-to-date on the Windows Security Log.
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources