WinSecWiki > Security Settings > Advanced Audit Policies > Account Logon > Kerberos Service Ticket Operations

Audit Kerberos Service Ticket Operations

This category is only logged on domain controllers. To configure this on Server 2008 you must use auditpol. Server 2008 R2 and later can use Group Policy.

Kerberos is Windows' default authentication protocol. Kerberos is based on tickets. There are 2 types of Kerberos tickets:authentication tickets (aka ticket granting tickets) and service tickets. This category tracks service ticket events. In Kerberos, you must first obtain a ticket granting ticket (TGT) from the Kerberos Authentication Server which authenticates you to the Kerberos Key Distrition Center (KDC). In Windows the domain controller fulfills both of these Kerberos roles. At any rate, TGT events are useful for documenting a user's initial authentication to the Windows network. Then Kerberos service ticket events allows you to track which computers and services the user accesses throughout the network. 

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID Title
4769 A Kerberos service ticket was requested.
4770 A Kerberos service ticket was renewed.
4773 A Kerberos service ticket request failed.

Back to top


Additional Resources