Monday, 5 May 2014

Event ID 4768 - A Kerberos authentication ticket (TGT) was requested

Event ID 4768 is logged only in domain controller for both success and failure instances. If the username and password are correct and the DC grants the TGT and logs the Event ID 4768 (authentication ticket granted). If the ticket request fails Windows will either log the event 4768 with failure as the type or 4771. In this article, I am going to explain about how to enable or configure Event ID 4768 through Default Domain Controller Policy GPO and Auditpol.exe, and how to disable Event ID 4768.

Summary:


Event ID 4768 Source:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/5/2014 3:43:20 PM
Event ID:      4768
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      Work2008R2.TestDomain.local
Description:
A Kerberos authentication ticket (TGT) was requested.

Account Information:
 Account Name:  LTest
 Supplied Realm Name: TESTDOMAIN
 User ID:   TESTDOMAIN\LTest

Service Information:
 Service Name:  krbtgt
 Service ID:  TESTDOMAIN\krbtgt

Network Information:
 Client Address:  192.78.2.145
 Client Port:  0

Additional Information:
 Ticket Options:  0x40810010
 Result Code:  0x0
 Ticket Encryption Type: 0x12
 Pre-Authentication Type: 2

Certificate Information:
 Certificate Issuer Name:  
 Certificate Serial Number: 
 Certificate Thumbprint:  

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Enable AD Logon Audit Event 4768 via Group Policy

    To enable event id 4768  in every Domain Controller, We need to configure audit settings in Default Domain Controllers Policy, or you can create new GPO and links it to the Domain Controllers OU via GPMC console, or else you can configure the corresponding policies on Local Security Policy of each and every Domain Controller..

Follow the below steps to enable Active Directory Kerberos Logon Audit event 4768 via Default Domain Controllers Policy.

    1. Press the key 'Window' + 'R'
    2. Type the command gpmc.msc, and click OK.
         Note: Skip the above steps by clicking Start -->Administrative Tools -->Group Policy                            Management.
    3. Expand the domain node and Domain Controllers OU,  right-click on the Default Domain Controllers Policy, then click Edit. - refer the below image.

Steps to enable Event 4768 via Group Policy

    4. Expand Computer Configuration node and Security Settings and navigate to the node Audit Policy (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon).

Steps to enable/configure Active Directory Kerberos Logon Audit Event ID 4768

    5. In right-side pane, double-click on Audit account logon events and set Success and Failure setting to enable kerberos logon event 4768.
Steps to enable/configure Active Directory Kerberos Logon Audit Event ID 4768

   Note: In Windows 2008 R2 and later versions, you can also control this event by subcategory-level setting via Advanced Audit Policy Configuration.

    Expand Computer Configuration and Security Settings and navigate to the node Account Logon (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon) and set the setting Audit Kerberos Authentication Service as Success and Failure

Steps to enable/configure Event ID 4768

    6. Run the command gpupdate /force from command prompt to update Group Policy settings.


Enable/Configure Event ID 4768 via Auditpol

Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security settings per user level and computer level.

Note: You should run Auditpol command with elevated privilege (Run As Administrator);

You can enable Event 4768 through Kerberos Authentication Service subcategory by using the following command

Success Audit:
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable
Steps to enable/configure Event ID 4768
Failure Audit:
auditpol /set /subcategory:"Kerberos Authentication Service" /Failure:enable
To update or refresh GPO settings, run the command gpupdate/force

Disable/Stop Event ID 4768

You can disable or stop the audit Event 4768 by removing success and failure audit of Kerberos Authentication Service subcategory by using the following command.
auditpol /set /subcategory:"Kerberos Authentication Service"
 /success:disable
You can also stop this event by removing the success and failure setting from the Default Domain Controller Policy's category level setting path (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon->Audit account logon events

 or by subcategory level setting (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon->Audit Kerberos Authentication Service)


Note: This article is applies to only Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8


Thanks,
Morgan
Software Developer

Advertisements
Advertisements

No comments:

Post a Comment