Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
A Kerberos authentication ticket (TGT) was requested.
Account Name: S-1-5-21-3575639598-1280693111-1939800713-1034
Supplied Realm Name: DOMAIN.LAN
User ID: NULL SID
Service Name: krbtgt/Domain.LAN
Service ID: NULL SID
Client Address: ::ffff:192.168.1.21
Client Port: 59685
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: 0xffffffff
Pre-Authentication Type: -
Certificate Issuer Name:
Certificate Serial Number:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
|English: Request a translation of the event description in plain English.|
UWS4768 provides a list with the meaning of the various fields listed in this event and the Kerberos codes.
EV100531 (4768: A Kerberos authentication ticket (TGT) was requested) provides a detailed description of this event along with a list of various result codes and their meaning. For example, the result code 0x6 mentioned in the event description above, stands for "Client not found in Kerberos database", meaning a bad user name, or new computer/user account that has not replicated to DC yet.
See EV100530 (Kerberos Security Audit Log Events Driving You Crazy?) on suggestions on how to troubleshoot this problem.
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated