Monday, 17 November 2014

Event 4769 - A Kerberos service ticket was requested.

Event ID 4769 will be logged whenever a service ticket (token to access resource) was requested by user or computer. It will be logged in Domain Controller for both Success and Failure instances. In this article, I am going to explain about how to enable Event 4769 through Default Domain Controller Policy GPO and Auditpol.exe, and how to disable Event ID 4769.

Summary:


Event ID 4769 Source:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/17/2014 4:48:29 PM
Event ID:      4769
Task Category: Kerberos Service Ticket Operations
Keywords:      Audit Success
Computer:      MTSDC1.TestDomain.local
Description:
A Kerberos service ticket was requested.

Account Information:
 Account Name:  Morgan$@TESTDOMAIN.LOCAL
 Account Domain:  TESTDOMAIN.LOCAL
 Logon GUID:  {77a5de7f-8fc6-0cb6-f468-ab81a180ff0e}

Service Information:
 Service Name:  MTSDC1$
 Service ID:  TESTDOMAIN\MTSDC1$

Network Information:
 Client Address:  ::1
 Client Port:  0

Additional Information:
 Ticket Options:  0x40810000
 Ticket Encryption Type: 0x12
 Failure Code:  0x0
 Transited Services: -

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

Enable Event 4769 via Group Policy

    To enable event id 4769  in every Domain Controller, We need to configure audit settings in Default Domain Controllers Policy, or you can create new GPO and links it to the Domain Controllers OU via GPMC console, or else you can configure the corresponding policies on Local Security Policy of each and every Domain Controller..

Follow the below steps to enable event 4769 via Default Domain Controllers Policy.

    1. Press the key 'Window' + 'R'
    2. Type the command gpmc.msc, and click OK.
         Note: Skip the above steps by clicking Start -->Administrative Tools -->Group Policy                            Management.
    3. Expand the domain node and Domain Controllers OU,  right-click on the Default Domain Controllers Policy, then click Edit. - refer the below image.

Steps to enable Event 4769 via GPO

    4. Expand Computer Configuration node and Security Settings and navigate to the node Audit Policy (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon).

Steps to enable Event 4769 via GPO

    5. In right-side pane, double-click on Audit account logon events and set Success and Failure setting to enable kerberos logon event 4769.
Steps to enable Event 4769 via GPO

   Note: In Windows 2008 R2 and later versions, you can also control this event by subcategory-level setting via Advanced Audit Policy Configuration.

    Expand Computer Configuration and Security Settings and navigate to the node Account Logon (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon) and set the setting Audit Kerberos Service Ticket Operations as Success and Failure

Steps to enable Event ID 4769 via GPO

    6. Run the command gpupdate /force from command prompt to update Group Policy settings.


Enable Event 4769 via Auditpol

Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security settings per user level and computer level.

Note: You should run Auditpol command with elevated privilege (Run As Administrator);

You can enable Event 4769through Kerberos Service Ticket Operations subcategory by using the following command

Success Audit:
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable
Failure Audit:
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /Failure:enable
To update or refresh GPO settings, run the command gpupdate/force

Disable/Stop Event ID 4769

You can disable or stop the audit Event ID 4769 by removing success and failure audit of Kerberos Service Ticket Operations subcategory by using the following command.
auditpol /set /subcategory:"Kerberos Service Ticket Operations"
 /success:disable
You can also stop this event by removing the success and failure setting from the Default Domain Controller Policy's category level setting path (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon->Audit account logon events

 or by subcategory level setting (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon->Audit Kerberos Service Ticket Operations)


Thanks,
Morgan
Software Developer

Advertisements
Advertisements

No comments:

Post a Comment