Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Source: Microsoft Windows security auditing|
|Type: Failure Audit|
Kerberos pre-authentication failed.
Security ID: mydomain\userid
Account Name: userid
Service Name: krbtgt/mydomain
Client Address: ::ffff:172.16.3.1
Client Port: 3780
Ticket Options: 0x40810010
Failure Code: 0x12
Pre-Authentication Type: 2
Certificate Issuer Name:
Certificate Serial Number:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted then many fields in this event might not be present.
|English: Request a translation of the event description in plain English.|
This event indicates that the Kerberos authentication failed. In most cases, this is the result of an incorrect user id / password combination. The login workstation will send the credentials to the Kerberos server which will verify it against its database, determine that it does not match and record this event in the domain controller logs.
|Private comment: Subscribers only. See example of private comment|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated