WinSecWiki > Security Settings > Advanced Audit Policies > Account Logon > Kerberos Authentication Service

Audit Kerberos Authentication Service

This category is only logged on domain controllers. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 can use Group Policy.

Kerberos is Windows' default authentication protocol. Kerberos is based on tickets. There are 2 types of Kerberos tickets: authentication tickets (aka ticket granting tickets) and service tickets. This category tracks authentication ticket events. In Kerberos, you must first obtain a ticket granting ticket (TGT) from the Kerberos Authentication Server which authenticates you to the Kerberos Key Distrition Center (KDC). In Windows the domain controller fulfills both of these Kerberos roles. At any rate, these TGT events are useful for documenting a user's initial authentication to the Windows network. Then Kerberos service ticket events allows you to track which computers and services the user accesses throughout the network. 

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID Title
4768 A Kerberos authentication ticket (TGT) was requested.
4771 Kerberos pre-authentication failed.
4772 A Kerberos authentication ticket request failed.

Back to top


Additional Resources