Home / server / Questions / 1043616
In Process
Daniel
Asked: 2020-11-24 08:45:05 +0800 CST

Kerberos pre-authentication failed for unused Administrator account on domain controllers [duplicate]

  • 772

Our three Active Directory domain controllers are collectively reporting thousands of 'Kerberos pre-authentication failed' events a week, where the IpAddress field is of a domain controller (but always a different one) and the TargetSid field is the domain Administrator account. Looking at all those particular events I also noticed that -- with the exception if the EventData/Ipport field which is random, and the EventData/Ipaddress field which is always a domain controller -- all other EventData fields always have the same value.

The domain controllers are brand new and the Administrator is not used on those machines. Not to start a service, not to run tasks, not for anything else. I'm 99.99% certain that it's not a compromised domain controller. Our domain controllers are healthy, dcdiag /q isn't reporting any issues.

I do not understand what is going on and need help understanding those particular events and why they are reported. Here is one of the events:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
        <Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/>
        <EventID>4771</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>14339</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime='2020-11-23T14:52:18.851767600Z'/>
        <EventRecordID>49462065</EventRecordID>
        <Correlation/>
        <Execution ProcessID='652' ThreadID='2348'/>
        <Channel>Security</Channel>
        <Computer>dc01.company.local</Computer>
        <Security/>
    </System>
    <EventData>
        <Data Name='TargetUserName'>Administrator</Data>
        <Data Name='TargetSid'>S-1-5-21-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-500</Data>
        <Data Name='ServiceName'>krbtgt/COMPANY.LOCAL</Data>
        <Data Name='TicketOptions'>0x40810010</Data>
        <Data Name='Status'>0x18</Data>
        <Data Name='PreAuthType'>2</Data>
        <Data Name='IpAddress'>::ffff:10.12.22.11</Data>
        <Data Name='IpPort'>53321</Data>
        <Data Name='CertIssuerName'></Data>
        <Data Name='CertSerialNumber'></Data>
        <Data Name='CertThumbprint'></Data>
    </EventData>
</Event>
active-directory kerberos windows-event-log

1 Answers

  1. This page provides details explaining each field of the 4771 Kerberos pre-authentication failed events.

    The 0x18 status failure code indicates the wrong password was provided. The IP address is the source of that failure. You should review the security log on the source host of the failure event and look for Event ID 4625 account log on failure events for the Administrator account. This event will give you the information needed to identify the process generating the log on failures.

    You should also consider re-naming the SID-500 Administrator account. This may inadvertently stop the 4771 events since the log on failures will no longer map to a valid domain principal. I would take any logon failures like this very seriously until they can be properly explained. Good luck!

    • -1