Once in a while we get a notification that an account triggered too many failed kerberos pre-authentication attempts.
This event contains the username and source machine. Here is an example:
Kerberos pre-authentication failed.
Account Information:
Security ID: S-1-5-21-18748694-320865252-1848988061-49003
Account Name: <account name>
Service Information:
Service Name: krbtgt/<domain>
Network Information:
Client Address: ::ffff:<ip address>
Client Port: 60938
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
'Additional Information' translated to human readable format:
Ticket Options: 0x40810010 => Forwardable, Renewable, Canonicalize, Renewable-ok
Failure Code: 0x18 => KDC_ERR_PREAUTH_FAILED | Pre-authentication information was invalid | The wrong password was provided.
Pre-Authentication Type: 2 => PA-ENC-TIMESTAMP | This type is normal for standard password authentication.
These events come in fast succession (50+ / sec).
Is it possible to find the source of the events e.g. software / script / service / ... ? And if so what would that process look like?
