Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Security Evend ID: 4769

1,052 views
Skip to first unread message

Bigfoot

unread,
Oct 7, 2009, 12:19:01 PM10/7/09
to
I am running SBS2008 and I’m receiving hundreds of these errors a day. I’ve
looked for a solution but information on this error is sparse. A copy of the
error is below.

Event Type: Failure Audit
Event Source: Microsoft-Windows-Security-Auditing
Event Category: (14337)
Event ID: 4769
Date: 10/7/2009
Time: 8:40:02 AM
User: N/A
Computer: RCS-SBS.<internal domain name>
Description:
A Kerberos service ticket was requested.

Account Information:
Account Name: RCS-SBS$@<internal domain name>
Account Domain: <internal domain name>
Logon GUID: {00000000-0000-0000-0000-000000000000}

Service Information:
Service Name: krbtgt/<internal domain name>
Service ID: S-1-0-0

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x60810010
Ticket Encryption Type: 0xffffffff
Failure Code: 0xe
Transited Services: -

This event is generated every time access is requested to a resource such as
a computer or a Windows service. The service name indicates the resource to
which access was requested.

This event can be correlated with Windows logon events by comparing the
Logon GUID fields in each event. The logon event occurs on the machine that
was accessed, which is often a different machine than the domain controller
which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

--
Patrick
Systems Administrator

Robbin Meng [MSFT]

unread,
Oct 8, 2009, 5:29:55 AM10/8/09
to

Hello Patrick,

Thanks for your post.

You may use the Auditpol.exe command-line tool to configure the custom audit policy settings that you want. It is userd to sets the per-user audit policy, system audit policy,
or auditing options. To check the current audit status, please use "/get" parameter:

auditpol /get /category:"Account Logon" /subcategory:"Kerberos Service Ticket Operations"

Then you may try the following command using /Set parameter to disable failure audit to the Kerberos Service Ticket so that the Failure Audit event may not be recorded any
more.

auditpol /set /category:"Account Logon" /subcategory:"Kerberos Service Ticket Operations" /failure:disable

Note, please reboot the SBS server to take effect.

For more information, please refer to the following TechNet articles:

Auditpol set
http://technet.microsoft.com/en-us/library/cc755264(WS.10).aspx

How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008
domain, in a Windows Server 2003 domain, or in a Windows 2000 domain.
http://support.microsoft.com/kb/921469/en-us

Hope this helps. Also, if you have any questions or concerns, please do not hesitate to let me know.

Best regards,
Robbin Meng(MSFT)
Microsoft Online Newsgroup Support

==================================================================
Please post your SBS 2008 related questions to the SBS newsgroup on Connect website:
https://connect.microsoft.com/sbs08/community/discussion/richui/default.aspx

Please post your EBS related questions to the EBS newsgroup on Connect website:
https://connect.microsoft.com/ebs08/community/discussion/richui/default.aspx

If you want to use a newsreader other than a web forum to access these newsgroups,
please refer to the following blog to apply NNTP password and configure a newsreader:
http://msmvps.com/blogs/bradley/archive/2008/11/02/signing-up-for-the-sbs-2008-newsgroups.aspx
==================================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
==================================================================

Bigfoot

unread,
Oct 8, 2009, 12:50:01 PM10/8/09
to
Robbin,
Thank you for your response. I have attached a copy of the get command. I
will run the set command tonight and reboot the server. I don’t know much
about Kerberos security stuff so I have a couple questions. Will running the
set command actually “fix” something or is it just turning off the
notification of the Kerberos error? Can you explain what is causing the
error? Thanks.

auditpol /get /category:"Account Logon" /subcategory:"Kerberos Service
Ticket Operations"

System audit policy
Category/Subcategory Setting
Account Logon
Kerberos Service Ticket Operations Failure
Other Account Logon Events Failure
Kerberos Authentication Service Failure
Kerberos Service Ticket Operations Failure
Credential Validation Failure

Robbin Meng [MSFT]

unread,
Oct 9, 2009, 5:48:22 AM10/9/09
to

Hi Patrick,

Thanks for your quick reply.

As you know, the Event message level is "Information", means it's just a notification, you can ignore it which is a normal behavior( client sent request to DC to get a service
ticket), or disable the audit as you wish.

Please go ahead with the /set command to try to disable this audit if you like. For more information about the security events in Windows Vista and in Windows Server 2008,
please see KB947226.

Description of security events in Windows Vista and in Windows Server 2008
http://support.microsoft.com/kb/947226/en-us

Hope it helps.

Bigfoot

unread,
Oct 15, 2009, 12:17:10 PM10/15/09
to
Robbin,
Please forgive the slow response. For some reason I wasn't able to login in
the last couple days.

I wasn’t able to squeeze in the set command and reboot yet. To many things
happening. That may be a good thing because I thought of a couple more
questions for you prior to running the set command.

Will the set command disable only the message that we’re talking about or
will it block other Kerberos errors as well. My concern is other Kerberos
messages will not show if I disable these messages. Is that true?

These messages are not from the “informational” level. They are “Failure
Audit”. To me that means something failed or didn’t work as it was supposed
to. Could you explain what is causing the failure so I understand what’s not
working right?

--
Patrick
Systems Administrator

Robbin Meng [MSFT]

unread,
Oct 16, 2009, 3:44:55 AM10/16/09
to

Hi Patrick,

Thanks for your feedback.

Yes the command should disable only the message you are talking about(Event 4769) and will NOT affect other Kerberos audits, because it only close the subcategory:
Kerberos Service Ticket Operations failure audit which is under category: Account Logon as you can see from the command itself and the Get command results. Kerberos
Service Ticket Operations is only one of the Account Logon audits.

Please understand, as I indicated this kind of audit Event messages are always "Informational" type, not "Warning" or "Error" and the description is "A Kerberos service
ticket was requested." Windows uses this event ID for both successful and failed service ticket requests.

Service tickets are obtained whenever a user/system account or computer accesses a server on the network. For example, when a user maps a drive to a file server, the
resulting service ticket request generates event ID 4769 on the DC. For more information, you may refer to below article:

Event 4769 A Kerberos service ticket was requested
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4769#fields

Description of security events in Windows Vista and in Windows Server 2008
http://support.microsoft.com/kb/947226/en-us

Hope this helps.

0 new messages