Windows 10: Huge number of Kerberos pre-authentication failed(4771) Event generates in DC but no...

Hi All,


Can you please help me to find out the reason of following issue.

In our domain after enabling audit we found that huge numbers(around 50k) of Kerberos pre-authentication failed(4771) security failure events are generating in DCs. If any one can explain why this events are generating so frequently. However I found no account lockout has happened. One sample event is as follows.

"

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 2019-08-05 09:40:05

Event ID: 4771

Task Category: Kerberos Authentication Service

Level: Information

Keywords: Audit Failure

User: N/A

Computer: DC.domain.com

Description:

Kerberos pre-authentication failed.


Account Information:

Security ID: domain\user

Account Name: user


Service Information:

Service Name: krbtgt/domain.com


Network Information:

Client Address: ::ffff:IP_address

Client Port: 57415


Additional Information:

Ticket Options: 0x40810010

Failure Code: 0x18

Pre-Authentication Type: 2


Certificate Information:

Certificate Issuer Name:

Certificate Serial Number:

Certificate Thumbprint:


Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
"

I can see that in few cases more than 100 events generated in 30 mins for one user. But no account lockout happened of that user because the failure code is 0x18.


I have checked that account lockout policy is also not satisfying for account unlocking. policy is as below.

Account Policies/Account Lockout Policy

Account lockout duration 0 minutes
Account lockout threshold 10 invalid logon attempts
Reset account lockout counter after 30 minutes

The reported users may use hand-held devices(certificate based) and can use multiple machines. I found the time difference between DC and End computers used by those affected users.


Please anyone can help me to investigate the root cause of huge numbers of logon failure/4771 events in our domain.

:)

 

Kerberos Pre-Authentication error

Hi Patrick,

I recommend that you log in with the user account which has this issue on the different computer connected to the same Domain and check if it makes any difference.

I also recommend that you refer to the article: 4771(F): Kerberos pre-authentication failed for further information on this error.

https://docs.microsoft.com/en-us/windows/securi...

Then I recommend that you post your query in TechNet forums, where the experts with knowledge on the issues connected with Domain computers can provide you with further assistance.

 

Error Kerberos Pre-Authentication failed on Windows 10 Domain computer

Hi,

Thank you for writing to Microsoft Community Forums.

Since you have mentioned that you are facing this issue with a specific user account, I suggest you to login with the same user account on any other computer connected to the same Domain and check if you get the same error.

You can also refer the article
4771(F): Kerberos pre-authentication failed for additional information on this error message.

However, since the computer is joined to a domain network, you can post your query in

TechNet forums, where we have support professionals who are well equipped with the knowledge on issues with Domain computers.

Hope it helps.

Nikhar Khare

Microsoft Community - Moderator

 

Kerberos pre-authentication failed

I've been getting a bunch of failed logins Event ID 4771 to be more specific on both DCs and it's pointing to a users computer. I couldn't find what's causing these errors or how to fix it, the user is still able to use the account and it doesn't get locked
out since it's set not too. Anybody have any insight on where to look?