Event ID 4769 w/ Failure Code 0x1b
Hi,
We informed you that this event was coming by design as the auditing was turned on for Kerberos Service Ticket Requests. The
event didn't point to any problem it was just an informational
event.
You wanted some best practices for auditing. We sent you the following links:
http://blogs.technet.com/b/askds/archive/2008/03/27/one-stop-shop-for-auditing-in-windows-server-2008-and-windows-vista.aspx
http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
Regards,
Yan Li
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.Yan Li
TechNet Community Support
May 9th, 2012 1:09am
Lain, thanks for the reply.. The event I posted was the resultant event on a SQL server in Forest 2 / Domain 2 in my hunt for SPN issues. Here is a sample event from the DC in Forest 1 that is holding the FSMO roles. I have not followed
the links that you or Yan have provided but will do so. I definitely dont mind tuning auditing etc, but I always love (read in a sarcastic tone) when I read articles that state to turn the auditing off to avoid the messages. Kinda like sticking
your head in the sand hoping it goes away. Anyway, event is below, let me see if I can learn anything from your link and see if I can get more detail.
Log Name:
Security
Source:
Microsoft-Windows-Security-Auditing
Date:
5/9/2012 4:55:00 PM
Event ID:
4769
Task Category: Kerberos Service Ticket Operations
Level:
Information
Keywords:
Audit Failure
User:
N/A
Computer:
DC02
Description:
A Kerberos service ticket was requested.
Account Information:
Account Name:
account@company.com
Account Domain:
COMPANY.COM
Logon GUID:
{00000000-0000-0000-0000-000000000000}
Service Information:
Service Name:
account@company.com
Service ID:
NULL SID
Network Information:
Client Address:
::ffff:xxx.xxx.xxx.xxx
Client Port:
2283
Additional Information:
Ticket Options:
0x40810000
Ticket Encryption Type:
0xffffffff
Failure Code:
0x1b
Transited Services: -
This event is generated every time access is requested to a resource such as a computer or a Windows service.
The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.
The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2012 1:09pm
I have been beating my head against a wall trying to trace this issue and I hope someone here can help out. First of all let me describe the environment in question:
Forest 1 - Single domain Forest Functional Level 2008
Forest 2 - 4 domains, Parent and 3 child domains Forest Functional Level 2008 R2
There is NO trust in either direction between these forests
Users are using Windows 7 workstations
Situation is that users in Forest 1 are connecting to resources in Forest 2-Child2 using applications launced with RunAs, specifiying credentials that are valid in Forest2/Child2 domain. This all works... The issue however
is that on the domain controllers in Forest 1 (especially the DC with all the FSMO roles) we logs thousands of Audit Failure events with event ID 4769 and a Failure Code 0x1b. A lot of this cross forest connectivty is done using tools like SQL Server
Management Studio or Toad. Again, the connectivity works and the user(s) are able to access data as needed its just our NOC is starting to beat us up over these "failed logins"...
Now in my readings I have discovered this error translates to:
0x1B KDC_ERR_MUST_USE_USER2USER Server principal valid for user-to-user only.
Further research has lead me down the deep dark rabbit hole of SPN's. I am not certain this is really a missing SPN or incorrectly registered SPN. One one of the SQL servers in Forest 2 / Domain 2 I see events such as:
Log Name:
Application
Source:
MSSQLSERVER
Date:
5/8/2012 9:53:47 PM
Event ID:
33205
Task Category: None
Level:
Information
Keywords:
Classic,Audit Success
User:
N/A
Computer: SERVER123.child2.forest2.priv
Description:
Audit event: event_time:2012-05-08 21:53:47.3956392
sequence_number:1
action_id:LGO
succeeded:true
permission_bitmask:0
is_column_permission:false
session_id:83
server_principal_id:288
database_principal_id:0
target_server_principal_id:0
target_database_principal_id:0
object_id:0
class_type:LX
session_server_principal_name:CHILD2\user
server_principal_name:CHILD2\user
server_principal_sid:01050000000000051500000086ff78cc3679b8cc8cadf75b60040000
database_principal_name:
target_server_principal_name:
target_server_principal_sid:
target_database_principal_name:
server_instance_name:SERVER123
database_name:
schema_name:
object_name:
statement:
additional_information:<action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"><pooled_connection>0</pooled_connection><total_cpu>0</total_cpu><reads>65</reads><writes>0</writes><is_dac>0</is_dac></action_info>
So what I am wondering is if this really is a SPN issue, or if the issue is simply that access is being requested between two forests that do not have a trust? If I have not provided enough details please
let me know. Any assistance would be greatly appreciated!
May 9th, 2012 6:15pm
Hi,
I understand your comment about turning logging off.
In this situation, if you can find an appropriate level that suits the request (demand) from your directory administrators, then it might be worth pursuing otherwise the notification isn't going to go anywhere.
The real point of the post was just to make it clear that nothing is wrong, not with any SPN's or anything else, it's just a notification of your domain controller saying "hey, someone's asking me for something I am not able to fulfil, so I'll record a notification
of the fact I told that client to go handle it directly with the peer".
Cheers,
Lain
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2012 7:40pm
Hi,
I understand your comment about turning logging off.
In this situation, if you can find an appropriate level that suits the request (demand) from your directory administrators, then it might be worth pursuing otherwise the notification isn't going to go anywhere.
The real point of the post was just to make it clear that nothing is wrong, not with any SPN's or anything else, it's just a notification of your domain controller saying "hey, someone's asking me for something I am not able to fulfil, so I'll record a notification
of the fact I told that client to go handle it directly with the peer".
Cheers,
Lain
May 9th, 2012 7:43pm
Hi,
It's not an SPN issue, so you don't have to worry about that.
Within the event itself there will be more information about the requesting party and so on, but in generic terms, a host is asking for a Kerberos ticket that the domain controller cannot provide as it's not responsible for the requested party. So, in response
it says, "go handle it directly with the requesting user". Have a read of
RFC 4120, section 3.7 if you want to dig deeper.
In short, it's just a response directive, though obviously it's also an annoyance in that it's cluttering up the logs.
You may want to take a look at
this support article as it outlines a couple of registry items that can be used to configure the detail of Kerberos logging. This may or may not provide relief from the event log stress.
Cheers,
Lain
Free Windows Admin Tool Kit Click here and download it now
May 9th, 2012 8:21pm
Hi,
We informed you that this event was coming by design as the auditing was turned on for Kerberos Service Ticket Requests. The
event didn't point to any problem it was just an informational
event.
You wanted some best practices for auditing. We sent you the following links:
http://blogs.technet.com/b/askds/archive/2008/03/27/one-stop-shop-for-auditing-in-windows-server-2008-and-windows-vista.aspx
http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
Regards,
Yan Li
TechNet Subscriber Support
If you are
TechNet Subscription
user and have any feedback on our support quality, please send your feedback
here.Yan Li
TechNet Community Support
May 10th, 2012 1:14am