Tue, Mar 5 2013 12:04
Kerberos security audit log events driving you crazy?
If you've ever looked at the security logs in a SBS 2008 network you'll see that there's a ton of audit failures.
||Kerberos Authentication Service
|DATE / TIME
||3/5/2013 12:00:01 PM
|A Kerberos authentication ticket (TGT) was requested.
Account Name: S-1-5-21-3575639598-1280693111-1939800713-1034
Supplied Realm Name: DOMAIN.LAN
User ID: NULL SID
Service Name: krbtgt/Domain.LAN
Service ID: NULL SID
Client Address: ::ffff:192.168.1.21
Client Port: 59685
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: 0xffffffff
Pre-Authentication Type: -
Certificate Issuer Name:
Certificate Serial Number:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
In searching for why this is happening you hit posts with guidance to disable this auditing.... but... not so fast....
Windows Security Log Event ID 4768 - A Kerberos authentication ticket (TGT) was requested:
auditpol /set /category:"Account Logon" /subcategory:"Kerberos Service Ticket Operations" /failure:disable
Now while you can ignore it, (yeah right), the better solution is documented here:
SBS 2008\Kerberos Failure Audits are logged when Windows 7 clients are on LAN:
If the domain is still running at the Windows 2003 functional level you will receive these events.
- Windows 7 clients will request the aes256-cts-hmac-sha1-96 algorithm by default.
- This algorithm is only supported at the Windows 2008 domain functional level.
- SBS 2008 setup will not raise the functional level of the domain after promoting the server to a domain controller. This is always a manual step that you have to perform.
- When the server rejects the request, the Windows 7 client will negotiate down to a supported algorithm. Nothing is actually broken here, all by design
If you have 2003 domain controllers in your environment, then ignore the event. If you are able and ready to raise the functional level of the domain, then raising it to 2008 will eliminate these events.
Go into active directory domains and trusts, right mouse click on Active Directory at the top, find the raise forest functional level. As long as you have no additional DCs at the server 2003 level, you can raise this with no issues.
Filed under: News