Skip to main content
Skip table of contents

EVID 4768, 4771 : Kerberos Events (Part 1) (XML - Security)

Event Details

Event TypeAudit Kerberos Authentication Service
Event Description
  • 4768(S, F) : A Kerberos authentication ticket (TGT) was requested.
  • 4771(F) : Kerberos pre-authentication failed.
Event IDs4768, 4771

Log Fields and Parsing

This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.

Log FieldLogRhythm DefaultLogRhythm Default v2.0
ProviderN/AN/A
EventID<vmid><vmid>
VersionN/AN/A
Level<severity><severity>
TaskN/A<vendorinfo>
OpcodeN/AN/A
Keywords<tag1><result>, <tag3>
TimeCreatedN/AN/A
EventRecordIDN/AN/A
CorrelationN/AN/A
ExecutionN/AN/A
ChannelN/AN/A
Computer<dname><dname>
TargetUserName<login><login>, <tag1>
TargetDomainName<domainorigin><domainorigin>
TargetSidN/AN/A
ServiceName<process><process>
ServiceSidN/AN/A
TicketOptions<object><command>
Status<status>, <tag3><responsecode>, <tag2>
TicketEncryptionType<sessiontype><policy>
PreAuthTypeN/A<sessiontype>
IpAddress<sip><sip>
IpPort<sport><sport>
CerIssuerNameN/A<subject>
CertSerialNumberN/AN/A
CertThumbprintN/AN/A

Log Processing Settings

This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.

LogRhythm Default

Regex IDRule NameRule TypeCommon EventClassification
1007812EVID 4768 - 4771 : Kerberos EventsBase RuleAuthentication ActivityAuthentication Success
EVID 4770 : Ticket RenewedSub RuleAuthentication ActivityAuthentication Success
Client Database Entry Has ExpiredSub RuleUser Logon FailureAuthentication Failure
Server Database Entry Has ExpiredSub RuleUser Logon FailureAuthentication Failure
Unsupported ProtocolSub RuleReconnaissance ActivityReconnaissance
Client Key Encrypted In Old Master KeySub RuleUser Logon FailureAuthentication Failure
Server Key Encrypted In Old Master KeySub RuleUser Logon FailureAuthentication Failure
Client Not Found In Kerberos DatabaseSub RuleUser Logon FailureAuthentication Failure
Server Not Found In Kerberos DatabaseSub RuleUser Logon FailureAuthentication Failure
Multiple Principal Entries In DatabaseSub RuleUser Logon FailureAuthentication Failure
Client Or Server Has Null KeySub RuleUser Logon FailureAuthentication Failure
Ticket Not Eligible For PostdatingSub RuleModify Object Attribute FailureAccess Failure
Requested Start Time Is Later Than End TimeSub RuleUser Logon FailureAuthentication Failure
KDC Policy Rejects RequestSub RuleUser Logon FailureAuthentication Failure
KDC Cannot Accomodate Request OptionSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Encryption TypeSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Checksum TypeSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Padata TypeSub RuleUser Logon FailureAuthentication Failure
KDC Has No Support For Transited TypeSub RuleUser Logon FailureAuthentication Failure
Clients Credentials For Server Have Been RevokedSub RuleUser Logon FailureAuthentication Failure
Credentials For Server Have Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
TGT Has Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
Client Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
Server Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
Password Has ExpiredSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
Pre-auth Information Was InvalidSub RuleUser Logon FailureAuthentication Failure
Additional Pre-authentication RequiredSub RuleUser Logon FailureAuthentication Failure
Integrity Check On Decrypted Field FailedSub RuleIntegrity Check On Decrypted Field FailedWarning
Ticket ExpiredSub RuleUser Logon FailureAuthentication Failure
Ticket Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
Request Is A ReplaySub RuleUser Logon FailureAuthentication Failure
The Ticket Is Not For UsSub RuleUser Logon FailureAuthentication Failure
Ticket And Authenticator Do Not MatchSub RuleUser Logon FailureAuthentication Failure
Clock Skew Too GreatSub RuleClock Skew Too GreatWarning
Incorrect Net AddressSub RuleUser Logon FailureAuthentication Failure
Protocol Version MismatchSub RuleUser Logon FailureAuthentication Failure
Invalid Message TypeSub RuleInvalid Message TypeError
Message Stream ModifiedSub RuleMessage Stream ModifiedInformation
Message Out Of OrderSub RuleMessage Out Of OrderError
Specified Version Of Key Is Not AvailableSub RuleUser Logon FailureAuthentication Failure
Service Key Not AvailableSub RuleUser Logon FailureAuthentication Failure
Mutual Authentication FailedSub RuleUser Logon FailureAuthentication Failure
Incorrect Message DirectionSub RuleIncorrect Message DirectionError
Alternative Authentication Method RequiredSub RuleUser Logon FailureAuthentication Failure
Incorrect Sequence Number In MessageSub RuleIncorrect Sequence NumberError
Inappropriate Type Of Checksum In MessageSub RuleInappropriate Type Of ChecksumError
Generic ErrorSub RuleGeneric ErrorError
Field Is Too Long For This ImplementationSub RuleField Is Too LongError
EVID 4768 : Clients Credentials For Server RevokedSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Client Not Found In Kerberos DatabaseSub RuleUser Logon FailureAuthentication Failure
EVID 4768 : Auth Ticket Denied, Usr AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4769 : Svc Ticket Denied, Usr AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4770 : Ticket Renew Denied, Usr AcctSub RuleUser Logon FailureAuthentication Failure
EVID 4769 : Serv Principal Valid User-To-User OnlySub RuleDomain Trust InformationInformation
EVID 4768 : Auth Ticket Granted, Sys AcctSub RuleComputer LogonAuthentication Success
EVID 4769 : Svc Ticket Granted, Sys AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4770 : Ticket Renewed, User AccountSub RuleAuthentication ActivityAuthentication Success
EVID 4769 : Svc Ticket Granted, Usr AcctSub RuleAuthentication ActivityAuthentication Success
EVID 4768 : Auth Ticket Granted, Usr AcctSub RuleUser LogonAuthentication Success
General Kerberos FailureSub RuleAuthentication Failure ActivityAuthentication Failure

LogRhythm Default v2.0

Regex IDRule NameRule TypeCommon EventClassification
1011089V 2.0 : EVID 4768-4771 : Kerberos TGT Failure MsgBase RuleGeneral Authentication EventOther Audit
V 2.0 : EVID 4768 : Computer Logon SuccessSub RuleComputer LogonAuthentication Success
V 2.0 : EVID 4768 : User Logon SuccessSub RuleUser LogonAuthentication Success
V 2.0 : EVID 4768 : Computer Logon Failure -Bad UsSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - ClockSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure-UnsprtSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure InvaldSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Flr  CredentialSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure PswrdSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure Bad PasSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - ExpirSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - TktSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure-DuplkteSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Computer Logon Failure - ClockSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure- Bad UserSub RuleUser Logon Failure : Bad UsernameAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - Clock OutSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - UnsupportSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure- Invalid CeSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - CredentiaSub RuleUser Logon Failure : Account DisabledAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure- Password ESub RuleUser Logon Failure : Bad PasswordAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure- Bad PswrdSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure Expired TktSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure Ticket NotSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure DuplicatedSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : User Logon Failure - Clock OutSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4771 : Computer Logon Failure - InvldSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4771 : Computer Logon Failure- PaswrdSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4771 : Computer Logon Fail Bad PswrdSub RuleComputer Logon FailureAuthentication Failure
V 2.0 : EVID 4771 : User Logon Failure Invalid CerSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4771 : User Logon Fail Password ExprdSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
V 2.0 : EVID 4771 : User Logon Failure Bad PswrdSub RuleUser Logon Failure : Bad PasswordAuthentication Failure
V 2.0 : EVID 4768 : Client Database Entry Has ExprSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : KDC Has No Suprt For TransitedSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Client Not Yet ValidSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : KDC Has No Suprt For TransitedSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Additional Pre-auth RequiredSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Server Database Entry Has ExprSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : The Tkt Is Not Fr UserSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Ticket & Authenticator Do NotSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Incorrect Net AddressSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Protocol Version MismatchSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Specified Ver Of Key Is Not AvSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Service Key Not AvailableSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Mutual Authentication FailedSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Alternative Auth MethodSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Client Key Encypted In Old MstSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Server Key Encrypted In Old MsSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Client Nt Found In Kerberos DBSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Server Nt Found In Kerberos DBSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Multiple Principal Entrs In DbSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Client Or Server Has Null KeySub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : KDC Policy Rejects RequestSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : KDC Cannot Accomodate Req OptnSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : KDC Has No Support For ChecksmSub RuleUser Logon FailureAuthentication Failure
V 2.0 : EVID 4768 : Cred For Server Have Been RvkdSub RuleAccess Revoked ActivityAccess Revoked
V 2.0 : EVID 4768 : TGT Has Been RevokedSub RuleAccess Revoked ActivityAccess Revoked
V 2.0 : EVID 4768 : Integrity Chk On Decrypt FieldSub RuleIntegrity Check On Decrypted Field FailedWarning
V 2.0 : EVID 4768 : Invalid Message TypeSub RuleInvalid Message TypeError
V 2.0 : EVID 4768 : Message Stream ModifiedSub RuleMessage Stream ModifiedInformation
V 2.0 : EVID 4768 : Message Out Of OrderSub RuleMessage Out Of OrderError
V 2.0 : EVID 4768 : Incorrect Message DirectionSub RuleIncorrect Message DirectionError
V 2.0 : EVID 4768 : Unsupported ProtocolSub RuleReconnaissance ActivityReconnaissance
V 2.0 : EVID 4768 : Incorrect Seq No In MessageSub RuleIncorrect Sequence NumberError
V 2.0 : EVID 4768 : Inapt Typ Of Chcksum In MsgSub RuleInappropriate Type Of ChecksumError
V 2.0 : EVID 4768 : Generic ErrorSub RuleGeneric ErrorError
V 2.0 : EVID 4768 : Field Is Too Long For This ImpSub RuleField Is Too LongError
V 2.0 : EVID 4768 : Ticket Not Eligible For PostdaSub RuleModify Object Attribute FailureAccess Failure
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.