1

Our three Active Directory domain controllers are collectively reporting thousands of 'Kerberos pre-authentication failed' events a week, where the IpAddress field is of a domain controller (but always a different one) and the TargetSid field is the domain Administrator account. Looking at all those particular events I also noticed that -- with the exception if the EventData/Ipport field which is random, and the EventData/Ipaddress field which is always a domain controller -- all other EventData fields always have the same value.

The domain controllers are brand new and the Administrator is not used on those machines. Not to start a service, not to run tasks, not for anything else. I'm 99.99% certain that it's not a compromised domain controller. Our domain controllers are healthy, dcdiag /q isn't reporting any issues.

I do not understand what is going on and need help understanding those particular events and why they are reported. Here is one of the events:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
        <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/>
        <EventID>4771</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>14339</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime='2020-11-23T14:52:18.851767600Z'/>
        <EventRecordID>49462065</EventRecordID>
        <Correlation/>
        <Execution ProcessID='652' ThreadID='2348'/>
        <Channel>Security</Channel>
        <Computer>dc01.company.local</Computer>
        <Security/>
    </System>
    <EventData>
        <Data Name='TargetUserName'>Administrator</Data>
        <Data Name='TargetSid'>S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-500</Data>
        <Data Name='ServiceName'>krbtgt/COMPANY.LOCAL</Data>
        <Data Name='TicketOptions'>0x40810010</Data>
        <Data Name='Status'>0x18</Data>
        <Data Name='PreAuthType'>2</Data>
        <Data Name='IpAddress'>::ffff:10.12.22.11</Data>
        <Data Name='IpPort'>53321</Data>
        <Data Name='CertIssuerName'></Data>
        <Data Name='CertSerialNumber'></Data>
        <Data Name='CertThumbprint'></Data>
    </EventData>
</Event>
Daniel
  • 6,780
  • 5
  • 31
  • 60

1 Answers1

-1

This page provides details explaining each field of the 4771 Kerberos pre-authentication failed events.

The 0x18 status failure code indicates the wrong password was provided. The IP address is the source of that failure. You should review the security log on the source host of the failure event and look for Event ID 4625 account log on failure events for the Administrator account. This event will give you the information needed to identify the process generating the log on failures.

You should also consider re-naming the SID-500 Administrator account. This may inadvertently stop the 4771 events since the log on failures will no longer map to a valid domain principal. I would take any logon failures like this very seriously until they can be properly explained. Good luck!

twconnell
  • 764
  • 4
  • 12
  • Hi and thanks for your reply. The article does not answer my questions and there is no correlating event id 4625. – Daniel Dec 03 '20 at 04:55
  • EventID 4625 will only be logged on the host generating the failure (the source IP from your 4771 event) and only if you have logon failure auditing enabled on that host. You can confirm if this is enabled by verifying you have both success and failure listed when running auditpol.exe /get /subcategory:Logon on the host responsible for the 4771 event. Also, did you try re-naming your un-used SID-500 domain user to see if that impacts the 4771 event generation? – twconnell Dec 04 '20 at 08:51