We have been getting a lot of the following messages: WinEvtLog: Security: AUDIT_FAILURE(4768): Microsoft-Windows-Security-Auditing: (no user): no domain: DomainController.FQDN: A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: UserName Supplied Realm Name: DomainName User ID: S-1-0-0 Service Information: Service Name: krbtgt/DomainName Service ID: S-1-0-0 Network Information: Client Address: ::ffff:#.#.#.# (EmailServerIPAddress) Client Port: 14670 Additional Information: Ticket Options: 0x40810010 Result Code: 0x17 Ticket Encryption Type: 0xffffffff Pre-Authentication Type: - Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120
We upgraded our Domain from AD2003 to AD2008 a couple of months ago. I don’t remember if these messages started then or were already happening at that time, or have started since. The username in the above is a valid username. I thought maybe it could be due to logon hours, but they have logon permitted all day, every day. Any idea why the error is occurring? I am pretty sure it’s nothing to be overly concerned about, but I’m getting multiple messages throughout the day. RDover This email is intended for its designated recipients. The information, and attachments, contained in this email may be considered private and/or confidential. If the transmission is received in error, delete messages(s) from your system and notify the sender. You may not, directly or indirectly, use, disclose or distribute any part of this email. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
