Windows 10: Huge number of Kerberos pre-authentication failed(4771) Event generates in DC but no...

Discus and support Huge number of Kerberos pre-authentication failed(4771) Event generates in DC but no... in AntiVirus, Firewalls and System Security to solve the problem; Hi All, Can you please help me to find out the reason of following issue. In our domain after enabling audit we found that huge numbers(around 50k)... Discussion in 'AntiVirus, Firewalls and System Security' started by debbasu, Aug 6, 2019.

  1. debbasu Win User

    Huge number of Kerberos pre-authentication failed(4771) Event generates in DC but no...


    Hi All,


    Can you please help me to find out the reason of following issue.

    In our domain after enabling audit we found that huge numbers(around 50k) of Kerberos pre-authentication failed(4771) security failure events are generating in DCs. If any one can explain why this events are generating so frequently. However I found no account lockout has happened. One sample event is as follows.

    "

    Log Name: Security

    Source: Microsoft-Windows-Security-Auditing

    Date: 2019-08-05 09:40:05

    Event ID: 4771

    Task Category: Kerberos Authentication Service

    Level: Information

    Keywords: Audit Failure

    User: N/A

    Computer: DC.domain.com

    Description:

    Kerberos pre-authentication failed.


    Account Information:

    Security ID: domain\user

    Account Name: user


    Service Information:

    Service Name: krbtgt/domain.com


    Network Information:

    Client Address: ::ffff:IP_address

    Client Port: 57415


    Additional Information:

    Ticket Options: 0x40810010

    Failure Code: 0x18

    Pre-Authentication Type: 2


    Certificate Information:

    Certificate Issuer Name:

    Certificate Serial Number:

    Certificate Thumbprint:


    Certificate information is only provided if a certificate was used for pre-authentication.

    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
    "

    I can see that in few cases more than 100 events generated in 30 mins for one user. But no account lockout happened of that user because the failure code is 0x18.


    I have checked that account lockout policy is also not satisfying for account unlocking. policy is as below.

    Account Policies/Account Lockout Policy

    Account lockout duration 0 minutes
    Account lockout threshold 10 invalid logon attempts
    Reset account lockout counter after 30 minutes

    The reported users may use hand-held devices(certificate based) and can use multiple machines. I found the time difference between DC and End computers used by those affected users.


    Please anyone can help me to investigate the root cause of huge numbers of logon failure/4771 events in our domain.

    :)
     
    debbasu, Aug 6, 2019
    #1

  2. Kerberos Pre-Authentication error

    Hi Patrick,

    I recommend that you log in with the user account which has this issue on the different computer connected to the same Domain and check if it makes any difference.

    I also recommend that you refer to the article: 4771(F): Kerberos pre-authentication failed for further information on this error.

    https://docs.microsoft.com/en-us/windows/securi...


    Then I recommend that you post your query in TechNet forums, where the experts with knowledge on the issues connected with Domain computers can provide you with further assistance.
     
    Greg Shapiro, Aug 6, 2019
    #2
  3. Nikhar_K Win User
    Error Kerberos Pre-Authentication failed on Windows 10 Domain computer

    Hi,

    Thank you for writing to Microsoft Community Forums.

    Since you have mentioned that you are facing this issue with a specific user account, I suggest you to login with the same user account on any other computer connected to the same Domain and check if you get the same error.

    You can also refer the article
    4771(F): Kerberos pre-authentication failed
    for additional information on this error message.

    However, since the computer is joined to a domain network, you can post your query in

    TechNet forums
    , where we have support professionals who are well equipped with the knowledge on issues with Domain computers.

    Hope it helps.

    Nikhar Khare

    Microsoft Community - Moderator
     
    Nikhar_K, Aug 6, 2019
    #3
  4. Huge number of Kerberos pre-authentication failed(4771) Event generates in DC but no...

    Kerberos pre-authentication failed

    I've been getting a bunch of failed logins Event ID 4771 to be more specific on both DCs and it's pointing to a users computer. I couldn't find what's causing these errors or how to fix it, the user is still able to use the account and it doesn't get locked
    out since it's set not too. Anybody have any insight on where to look?
     
    devilwearsnada8, Aug 6, 2019
    #4
Thema:

Huge number of Kerberos pre-authentication failed(4771) Event generates in DC but no...

Loading...
  1. Huge number of Kerberos pre-authentication failed(4771) Event generates in DC but no... - Similar Threads - Huge number Kerberos

  2. Event ID 158 generated for USB card reader

    in Windows 10 Drivers and Hardware
    Event ID 158 generated for USB card reader: At intervals I get audible tones for USB disconnect/reconnect. In the Event logs I have Event ID:158 generated for 3 of the 4 EMPTY drive assignments allocated to my USB card reader for no obvious reason. Why has it started and how do I stop it?...
  3. Pre-installed windows serial number

    in Windows 10 Updates and Activation
    Pre-installed windows serial number: Hello, I intend to buy a laptop which has windows 10 pre-installed, I want to make sure I won't lose it, so in case the activated windows copy was uninstalled for any reason, can I reinstall an unactivated windows copy using a bootable usb flash memory for example and...
  4. Kerberos Pre-Authentication error

    in Windows 10 Customization
    Kerberos Pre-Authentication error: I have a Windows 10 domain joined machine that keeps throwing up Kerberos pre-authentication every 20 minutes. It is a Surface Pro machine, I tried to clear Windows cashed credentials, then I scanned the computer. I managed to disable pre-authentication for the user via the...
  5. Error Kerberos Pre-Authentication failed on Windows 10 Domain computer

    in Windows 10 Network and Sharing
    Error Kerberos Pre-Authentication failed on Windows 10 Domain computer: Afternoon, We are having issues with a Windows 10 domain joined machine throwing up Kerberos pre-authentication failures every 15 mins or so, so after a few instances this causes the account to become locked out (the source IP of each event is the device itself) The...
  6. Windows 10 Kerberos pre-authentication failed

    in Windows 10 Network and Sharing
    Windows 10 Kerberos pre-authentication failed: Afternoon, We are having issues with a Windows 10 domain joined machine throwing up Kerberos pre-authentication failures every 15 mins or so, so after a few instances this causes the account to become locked out (the source IP of each event is the device itself) The...
  7. Windows Event log for Pre Failure of SSD's

    in Windows 10 BSOD Crashes and Debugging
    Windows Event log for Pre Failure of SSD's: Hello Team, We have encountered SSD failure issue in our organisation wherein we are losing data of customers and our existing hardware monitoring tool fails to identify the health of SSD. Can we get any event logs generated before failure of SSD so that we can implement in...
  8. Activation context generation failed Event Viewer

    in Windows 10 Software and Apps
    Activation context generation failed Event Viewer: Hi Guys Recently installed Office 2016 and it works fine, but i notice an Event Viewer error SideBySide 35 Activation context generation failed for "C:\Program Files (x86)\Microsoft Office\root\Office16\lync.exe.Manifest".Error in manifest or policy file "C:\Program...
  9. huge event log ,how can i fix it?

    in Windows 10 Performance & Maintenance
    huge event log ,how can i fix it?: hi from yesterday at every boot , i notice that my event log does grow up steadily and i haven't installed any software myevengviewer freezes , on microsoft even viewer i can see it's the security that increase of 32.000 very quickly , and the file security is around...
  10. Event Viewer limit number of entries

    in Windows 10 Support
    Event Viewer limit number of entries: I have a shortcut to open Event Viewer directly to System. Only need to see the most recent 100 entries. How can I limit the number? 105961