0

On one of our old DC's we are seeing event 4776 logged twice about every 10 min. This server was demoted a year or so ago, so I don't even know why Kerberos requests are going to it. I've gone through the DNS for the domain and all Kerberos entries are all set to the current DCs. The account listed in the event log is an old domain admin account.

All that said, I'm looking for a way to track down where they authentication attempts are originating from. Any ideas?

Event Message:

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:  [domain account]
Source Workstation: LUCIANO
Error Code: 0xC0000064
MSCF
  • 135
  • 1
  • 3
  • 11
  • 1
    `I'm looking for a way to track down where they authentication attempts are originating from. Any ideas?`: **Source Workstation: LUCIANO** – joeqwerty Sep 14 '17 at 19:31
  • 1
    C0000064 user name does not exist [link](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4776) – Clayton Sep 14 '17 at 19:53
  • That is the name of the old server. So I assumed that was just recording the machine attempting to process the request. – MSCF Sep 14 '17 at 23:17
  • Run a packet capture on the old DC and wait until the event log records the event. Then correlate that to traffic in the capture and find the ip address and MAC address of the machine responsible. – joeqwerty Sep 15 '17 at 15:32
  • Will do. I was hoping there was something in the event log I wasn't familiar with that might show it. Off to packet capture I go. – MSCF Sep 18 '17 at 16:19

0 Answers0