Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 4771 Source: MicrosoftWindowssecurityauditing

Description
Kerberos pre-authentication failed.

Account Information:
Security ID: mydomain\userid
Account Name: userid

Service Information:
Service Name: krbtgt/mydomain

Network Information:
Client Address: ::ffff:172.16.3.1
Client Port: 3780

Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x12
Pre-Authentication Type: 2

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted then many fields in this event might not be present.
Comments
 
This event indicates that the Kerberos authentication failed. In most cases, this is the result of an incorrect user id / password combination. The login workstation will send the credentials to the Kerberos server which will verify it against its database, determine that it does not match and record this event in the domain controller logs.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...