Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 4769 Source: Microsoft-Windows-Security-Auditing

Description
A Kerberos service ticket was requested.

Account Information:
Account Name: TORPDC01$@ALTAIRDEMO.LOCAL
Account Domain: ALTAIRDEMO.LOCAL
Logon GUID: {102E8F70-51FE-4966-568B-C74DBF1A78E4}

Service Information:
Service Name: krbtgt
Service ID: S-1-5-21-3302340694-2582881331-2711301636-502

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x60810010
Ticket Encryption Type: 0x17
Failure Code: 0x0
Transited Services: -

This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.
Comments
 
- Options: 0x60810010, Failure Code: 0xE - This event was recorded on a Windows 2012R2 domain controller with the domain functional level (DFL) set to "Windows 2003" for connections from a Windows 2008R2 member server. Raising the DFL level to Windows 2008R2 fixed the problem.
Failure code 0xC, Ticket options 0x40810000 - According to EV100643 (Event ID 4769 Audit failure with Failure Code 0xC), this was recorded on computer trying to access resources in another forest (that had a two way forest trust). The fix was to enable name suffix using Trust properties.
Failure Code: 0x1b, Ticket Options: 0x40810000 - As per EV100644 (Sharepoint 2013 filling up Security Logs), this was fixed by following the instructions on a guide for configuring Sharepoint kerberos authentication: EV100645 (The first Kerberos guide for SharePoint 2013 technicians).
As the event description mentions, the error codes and the options spececified in the event can be found in EV100641 (RFC 4120). Examples:
- Options: 0x60810010, Failure Code: 0xE
Failure code 0xE means "Server's key encrypted in old master key" - According to EV100642 (DCE 1.1: Authentication and Security Services - Chapter 4), server's key encrypted in an old (expired) master key., in the following sense. It is recommended that implementations of DCE protect all copies of the RS datastore other than those actually in use (in the address spaces of trusted programs) at any given moment (such as on-disk files, tape backups, and so on) by encrypting them (or at least the sensitive data contained in them, especially accounts' long-term keys), using some policy-dependent or implementation-dependent trusted encryption mechanism. An encryption key used for this purpose is known as a master key. A master key is said to be "old" if it is expired or unavailable (for whatever reason-it may just have been lost). In such a case, accounts' keys are unavailable; that is, accounts are "locked out" until a new key is established by the security administrator. (Typical implementations use different master keys for different datastore entries, disambiguating them with version numbers, so that the datastore can be incrementally upgraded from one master key to another.) Thus, the master key plays no direct part in the protocol, but surfaces only in this failure code.

In our particular case, this error came up when an old domain controller was brought online after being removed from the AD, without removing the DC role from the server itself. After the DC role was removed, the error was gone.
See UWS4769 for additional information on this event.


Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...