Small Business Susan

Kerberos security audit log events driving you crazy?

If you’ve ever looked at the security logs in a SBS 2008 network you’ll see that there’s a ton of audit failures.


 


EVENT # 611978278
EVENT LOG Security
EVENT TYPE Audit Failure
OPCODE Info
SOURCE Microsoft-Windows-Security-Auditing
CATEGORY Kerberos Authentication Service
EVENT ID 4768
COMPUTERNAME   SERVER
DATE / TIME   3/5/2013 12:00:01 PM
MESSAGE A Kerberos authentication ticket (TGT) was requested.

Account Information:
Account Name: S-1-5-21-3575639598-1280693111-1939800713-1034
Supplied Realm Name: DOMAIN.LAN
User ID: NULL SID

Service Information:
Service Name: krbtgt/Domain.LAN
Service ID: NULL SID

Network Information:
Client Address: ::ffff:192.168.1.21
Client Port: 59685

Additional Information:
Ticket Options: 0×40810010
Result Code: 0×6
Ticket Encryption Type: 0xffffffff
Pre-Authentication Type: -

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.


In searching for why this is happening you hit posts with guidance to disable this auditing…. but… not so fast….


Windows Security Log Event ID 4768 – A Kerberos authentication ticket (TGT) was requested:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768
http://www.networksteve.com/forum/topic.php/Kerberos_Service_Ticket_Operations_Audit_Failure/?TopicId=8283&Posts=3


auditpol /set /category:”Account Logon” /subcategory:”Kerberos Service Ticket Operations” /failure:disable


Now while you can ignore it, (yeah right), the better solution is documented here:


SBS 2008\Kerberos Failure Audits are logged when Windows 7 clients are on LAN:
http://support.microsoft.com/kb/2519073/en-us


If the domain is still running at the Windows 2003 functional level you will receive these events.


  • Windows 7 clients will request the aes256-cts-hmac-sha1-96 algorithm by default.
  • This algorithm is only supported at the Windows 2008 domain functional level.
  • SBS 2008 setup will not raise the functional level of the domain after promoting the server to a domain controller. This is always a manual step that you have to perform.
  • When the server rejects the request, the Windows 7 client will negotiate down to a supported algorithm. Nothing is actually broken here, all by design

If you have 2003 domain controllers in your environment, then ignore the event. If you are able and ready to raise the functional level of the domain, then raising it to 2008 will eliminate these events.


Go into active directory domains and trusts, right mouse click on Active Directory at the top, find the raise forest functional level.  As long as you have no additional DCs at the server 2003 level, you can raise this with no issues.