Event ID 4771 – Kerberos Pre-Authentication Failed

What is Kerberos?

Kerberos is a network authentication protocol used in Windows domains. It is used to verify the identity of users and computers across an untrusted network such as the internet. Kerberos support is built into all major computer operating systems, including Microsoft Windows.

Pre-authentication is an initial step in the Kerberos process where the client proves its identity to the Key Distribution Center (KDC).

Since Windows 2000, the Kerberos protocol has been used by Microsoft as the default authentication method, and it is a fundamental part of the Windows Active Directory (AD) service.

What is Event ID 4771?

Event ID 4771, “Kerberos pre-authentication failed,” is a common security event in Windows environments.

This event generates every time the Key Distribution Center (KDC) fails to issue a Kerberos Ticket Granting Ticket (TGT) and indicates that the Key Distribution Center (KDC) could not validate the client’s initial identity claim. The event is logged on domain controllers.

Note that this event is not generated if the “Do not require Kerberos preauthentication” option is set for the account.

The following are some of the common causes for event ID 4771 to be generated:

How Lepide Auditor Helps

It is essential that an administrator has visibility over what is happening in their Active Directory. This ensures that any suspicious activity relating to potential security threats is identified and can be responded to immediately.

The Lepide Active Directory Auditing Tool enables effective monitoring, auditing, and reporting on all Active Directory states and changes including account logon events. The Lepide Auditor includes pre-configured account logon reports to help identify malicious users attempting to logon to machines that require elevated privileges.