Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Type: Failure Audit|
Authentication Ticket Request:
User Name: email@example.com
Supplied Realm Name: NOSUCHTHING.COM
User ID: -
Service Name: krbtgt/NOSUCHTHING.COM
Service ID: -
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: -
Pre-Authentication Type: -
Client Address: 192.168.6.210
Certificate Issuer Name:
Certificate Serial Number:
|English: This information is only available to subscribers. An example of English, please!|
|Concepts to understand:|
What is Kerberos?
What is the meaning of a Kerberos result code?
This event indicates a failure to obtain a Kerberos authentication ticket. There are other events detailing the failure of the actual logon (such as event id 675) so this one is somewhat redundant. The only relevant information not present in the other audit events is the Kerberos result code that indicates the reason why the authentication was not granted. For example, result code 0x6 means "Client not found in Kerberos database.". The ticket options are more or less standard for a user logon request and indicate various details about the ticket (see the "Kerberos ticket options explained" link).
|Private comment: Subscribers only. See example of private comment|
|Links: Kerberos ticket options explained|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated