Kerberos is an authentication protocol which is used to verify the identity of a host across an untrusted network, such as the internet. Kerberos support is built into all major computer operating systems, including Microsoft Windows.
Since Windows 2000, the Kerberos protocol has been used by Microsoft as the default authentication method, and it is a fundamental part of the Windows Active Directory (AD) service.
What is Kerberos Event ID 4773?
Event ID | 4773 |
Category | Account Logon |
Sub Category | Kerberos Service Ticket Operations |
Description | A Kerberos service ticket request failed |
When a Kerberos service request fails, Event ID 4773 is logged and the log data provides the following information:
Account Information |
|
Service Information |
|
Network Information |
|
Additional Information |
|
Why Event ID 4773 needs to be Monitored?
Event ID 4773, though it might appear in some documentation, is actually not a currently used event in Windows systems. Microsoft doesn’t log this specific event.
There are a couple of reasons why you might see references to it:
- Outdated Information: Some resources may be referencing older versions of Windows where Event ID 4773 was used. Microsoft replaced it with Event ID 4769 (Failure Audit) for Kerberos service ticket request failures.
- Misinterpretation: The functionality might be misinterpreted. While Event ID 4773 isn’t used, monitoring Kerberos authentication failures (like Event ID 4769) is still important for security purposes.
Here’s why monitoring Kerberos authentication failures (like Event ID 4769) is important:
- Security: It can help detect suspicious login attempts. Failed Kerberos requests can indicate issues like invalid credentials, expired passwords, or attempts to access unauthorized resources. This can be a sign of brute-force attacks or attempts to exploit vulnerabilities in Kerberos authentication.
- Troubleshooting: It can help identify configuration problems. Failed requests might be due to misconfigured services, network connectivity issues, or problems with the Kerberos infrastructure. Monitoring these events can help pinpoint the root cause of login failures.
- Operational Efficiency: It can help ensure smooth user access. By monitoring these events, you can identify any recurring issues that might be causing disruptions to user logins. This helps maintain system uptime and user productivity.
In summary, focus on monitoring Event ID 4769 (Failure Audit) for Kerberos service ticket failures instead of Event ID 4773. This will provide valuable information for maintaining a secure and healthy Active Directory environment.
Conclusion
It is essential for an administrator to have complete visibility over what is happening on their Active Directory to ensure that any suspicious activity relating to potential security threats is identified and responded to immediately.
The Lepide Active Directory auditing tool enables effective monitoring, auditing, and reporting on all Active Directory states and changes including account logon events. Account logon pre-configured reports help identify malicious users attempting to logon to machines that require elevated privileges.