1

Currently we are seeing a lot of Events "Kerberos authentication Ticket (TGT) was rejected" even for the accounts that are blocked.

Also from the event logs, I see a username being used which does not exist on the server, neither in Users, nor in services, no application pools running with this acccount. The logon type is 8. Screenshots attached, really need help here.enter image description here

Can any one please shed a light why this is happening??

enter image description here

enter image description here

HBruijn
  • 72,524
  • 21
  • 127
  • 192
Mr. Soul
  • 19
  • 1
  • You haven't told us what kind of server this is, or what it's purpose is. You haven't told us what you've already researched. You haven't told us what tools you've used to try an figure this out on your own. You haven't exactly given the community much to go on. However, if you're seeing accounts that are blocked attempt access, you could have a bad actor on your network. – Colyn1337 Dec 15 '15 at 13:52
  • ok, so i have figured it out the account was not to be found in the local users, no services were running with this account, no application pools running with the user. Just to mention it was a share point server. – Mr. Soul Dec 16 '15 at 12:12

0 Answers0