4768 A Kerberos authentication ticket (TGT) was requested

This event is logged on domain controllers only and both success and failure instances of this event are logged.

At the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT. If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID 4768 (authentication ticket granted).  

If the ticket request fails Windows will either log this event, 4768 or 4771 with failure as the type.

The User field for this event (and all other events in the Audit account logon event category) doesn’t help you determine who the user was; the field always reads N/A. Rather look at the Account Information: fields, which identify the user who logged on and the user account’s DNS suffix. The User ID field provides the SID of the account. 

Windows logs other instances of event ID 4768 when a computer in the domain needs to authenticate to the DC typically when a workstation boots up or a server restarts. In these instances, you’ll find a computer name in the User Name and fields. Computer generated kerberos events are always identifiable by the $ after the computer account’s name.

Microsoft’s Comments:

This event records that a Kerberos TGT was granted, actual access will not occur until a service ticket is granted, which is audited by Event 673. If the PATYPE is PKINIT, the logon was a smart card logon.

Result codes:

Result codeKerberos RFC descriptionNotes on common failure codes
0x1Client’s entry in database has expired 
0x2Server’s entry in database has expired 
0x3Requested protocol version # not supported 
0x4Client’s key encrypted in old master key 
0x5Server’s key encrypted in old master key 
0x6Client not found in Kerberos databaseBad user name, or new computer/user account has not replicated to DC yet
0x7Server not found in Kerberos database New computer account has not replicated yet or computer is pre-w2k
0x8Multiple principal entries in database 
0x9The client or server has a null key administrator should reset the password on the account
0xATicket not eligible for postdating 
0xBRequested start time is later than end time 
0xCKDC policy rejects requestWorkstation restriction
0xDKDC cannot accommodate requested option 
0xEKDC has no support for encryption type 
0xFKDC has no support for checksum type 
0x10KDC has no support for padata type 
0x11KDC has no support for transited type 
0x12Clients credentials have been revokedAccount disabled, expired, locked out, logon hours.
0x13Credentials for server have been revoked 
0x14TGT has been revoked 
0x15Client not yet valid – try again later 
0x16Server not yet valid – try again later 
0x17Password has expiredThe user’s password has expired.
0x18Pre-authentication information was invalidUsually means bad password
0x19Additional pre-authentication required* 
0x1FIntegrity check on decrypted field failed 
0x20Ticket expiredFrequently logged by computer accounts
0x21Ticket not yet valid 
0x21Ticket not yet valid 
0x22Request is a replay 
0x23The ticket isn’t for us 
0x24Ticket and authenticator don’t match 
0x25Clock skew too greatWorkstation’s clock too far out of sync with the DC’s
0x26Incorrect net address IP address change?
0x27Protocol version mismatch 
0x28Invalid msg type 
0x29Message stream modified 
0x2AMessage out of order 
0x2CSpecified version of key is not available 
0x2DService key not available 
0x2EMutual authentication failed may be a memory allocation failure
0x2FIncorrect message direction 
0x30Alternative authentication method required* 
0x31Incorrect sequence number in message 
0x32Inappropriate type of checksum in message 
0x3CGeneric error (description in e-text) 
0x3DField is too long for this implementation 

 

Free Security Log Quick Reference Chart

Account Information: 

  • Account Name:  logon name of the account that just authenticated
  • Supplied Realm Name: domain name of the account
  • User ID:   SID of the account

Service Information:

  • Service Name:  always “krbtgt”
  • Service ID:

Network Information:

  • Client Address:  IP address where user is present
  • Client Port:  source port 

Additional Information:

  • Ticket Options:  unknown.  Please start a discussion if you have information to share on this field.
  • Result Code:  error if any – see above table
  • Ticket Encryption Type: unknown.  Please start a discussion if you have information to share on this field.
  • Pre-Authentication Type: unknown.  Please start a discussion if you have information to share on this field. 

Certificate Information:

This information is only filled in if logging on with a smart card. 

  • Certificate Issuer Name:
  • Certificate Serial Number:
  • Certificate Thumbprint:

Top 10 Events to Monitor

Success

A Kerberos authentication ticket (TGT) was requested.

Account Information:

   Account Name: Administrator
   Supplied Realm Name: acme-fr
   User ID: ACME-FR\administrator

Service Information:

   Service Name: krbtgt
   Service ID: ACME-FR\krbtgt

Network Information:

   Client Address: ::1
   Client Port: 0

Additional Information:

   Ticket Options: 0x40810010
   Result Code: 0x0
   Ticket Encryption Type: 0x12
   Pre-Authentication Type: 2

Certificate Information:  

   Certificate Issuer Name:
   Certificate Serial Number:
   Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Failure

A Kerberos authentication ticket (TGT) was requested.

Account Information: 
   
   Account Name: nebuchadnezzar
   Supplied Realm Name: acme-fr
   User ID: NULL SID

Service Information:  

   Service Name: krbtgt/acme-fr
   Service ID: NULL SID

Network Information:

   Client Address: ::1
   Client Port: 0

Additional Information:

   Ticket Options: 0x40810010
   Result Code: 0x12
   Ticket Encryption Type: 0xffffffff
   Pre-Authentication Type: –

Certificate Information: 

   
   Certificate Issuer Name:
   Certificate Serial Number:
   Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120. EditMore Resources