Hi, We informed you that this event was coming by design as the auditing was turned on for Kerberos Service Ticket Requests. The event didn't point to any problem it was just an informational event. You wanted some best practices for auditing. We sent you the following links: http://blogs.technet.com/b/askds/archive/2008/03/27/one-stop-shop-for-auditing-in-windows-server-2008-and-windows-vista.aspx http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx Regards, Yan Li TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Yan Li TechNet Community Support

Lain, thanks for the reply.. The event I posted was the resultant event on a SQL server in Forest 2 / Domain 2 in my hunt for SPN issues. Here is a sample event from the DC in Forest 1 that is holding the FSMO roles. I have not followed the links that you or Yan have provided but will do so. I definitely dont mind tuning auditing etc, but I always love (read in a sarcastic tone) when I read articles that state to turn the auditing off to avoid the messages. Kinda like sticking your head in the sand hoping it goes away. Anyway, event is below, let me see if I can learn anything from your link and see if I can get more detail. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 5/9/2012 4:55:00 PM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: DC02 Description: A Kerberos service ticket was requested. Account Information: Account Name: account@company.com Account Domain: COMPANY.COM Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: account@company.com Service ID: NULL SID Network Information: Client Address: ::ffff:xxx.xxx.xxx.xxx Client Port: 2283 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0xffffffff Failure Code: 0x1b Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

I have been beating my head against a wall trying to trace this issue and I hope someone here can help out. First of all let me describe the environment in question: Forest 1 - Single domain Forest Functional Level 2008 Forest 2 - 4 domains, Parent and 3 child domains Forest Functional Level 2008 R2 There is NO trust in either direction between these forests Users are using Windows 7 workstations Situation is that users in Forest 1 are connecting to resources in Forest 2-Child2 using applications launced with RunAs, specifiying credentials that are valid in Forest2/Child2 domain. This all works... The issue however is that on the domain controllers in Forest 1 (especially the DC with all the FSMO roles) we logs thousands of Audit Failure events with event ID 4769 and a Failure Code 0x1b. A lot of this cross forest connectivty is done using tools like SQL Server Management Studio or Toad. Again, the connectivity works and the user(s) are able to access data as needed its just our NOC is starting to beat us up over these "failed logins"... Now in my readings I have discovered this error translates to: 0x1B KDC_ERR_MUST_USE_USER2USER Server principal valid for user-to-user only. Further research has lead me down the deep dark rabbit hole of SPN's. I am not certain this is really a missing SPN or incorrectly registered SPN. One one of the SQL servers in Forest 2 / Domain 2 I see events such as: Log Name: Application Source: MSSQLSERVER Date: 5/8/2012 9:53:47 PM Event ID: 33205 Task Category: None Level: Information Keywords: Classic,Audit Success User: N/A Computer: SERVER123.child2.forest2.priv Description: Audit event: event_time:2012-05-08 21:53:47.3956392 sequence_number:1 action_id:LGO succeeded:true permission_bitmask:0 is_column_permission:false session_id:83 server_principal_id:288 database_principal_id:0 target_server_principal_id:0 target_database_principal_id:0 object_id:0 class_type:LX session_server_principal_name:CHILD2\user server_principal_name:CHILD2\user server_principal_sid:01050000000000051500000086ff78cc3679b8cc8cadf75b60040000 database_principal_name: target_server_principal_name: target_server_principal_sid: target_database_principal_name: server_instance_name:SERVER123 database_name: schema_name: object_name: statement: additional_information:<action_info xmlns="http://schemas.microsoft.com/sqlserver/2008/sqlaudit_data"><pooled_connection>0</pooled_connection><total_cpu>0</total_cpu><reads>65</reads><writes>0</writes><is_dac>0</is_dac></action_info> So what I am wondering is if this really is a SPN issue, or if the issue is simply that access is being requested between two forests that do not have a trust? If I have not provided enough details please let me know. Any assistance would be greatly appreciated!

Hi, I understand your comment about turning logging off. In this situation, if you can find an appropriate level that suits the request (demand) from your directory administrators, then it might be worth pursuing otherwise the notification isn't going to go anywhere. The real point of the post was just to make it clear that nothing is wrong, not with any SPN's or anything else, it's just a notification of your domain controller saying "hey, someone's asking me for something I am not able to fulfil, so I'll record a notification of the fact I told that client to go handle it directly with the peer". Cheers, Lain

Hi, I understand your comment about turning logging off. In this situation, if you can find an appropriate level that suits the request (demand) from your directory administrators, then it might be worth pursuing otherwise the notification isn't going to go anywhere. The real point of the post was just to make it clear that nothing is wrong, not with any SPN's or anything else, it's just a notification of your domain controller saying "hey, someone's asking me for something I am not able to fulfil, so I'll record a notification of the fact I told that client to go handle it directly with the peer". Cheers, Lain

Hi, It's not an SPN issue, so you don't have to worry about that. Within the event itself there will be more information about the requesting party and so on, but in generic terms, a host is asking for a Kerberos ticket that the domain controller cannot provide as it's not responsible for the requested party. So, in response it says, "go handle it directly with the requesting user". Have a read of RFC 4120, section 3.7 if you want to dig deeper. In short, it's just a response directive, though obviously it's also an annoyance in that it's cluttering up the logs. You may want to take a look at this support article as it outlines a couple of registry items that can be used to configure the detail of Kerberos logging. This may or may not provide relief from the event log stress. Cheers, Lain

Hi, We informed you that this event was coming by design as the auditing was turned on for Kerberos Service Ticket Requests. The event didn't point to any problem it was just an informational event. You wanted some best practices for auditing. We sent you the following links: http://blogs.technet.com/b/askds/archive/2008/03/27/one-stop-shop-for-auditing-in-windows-server-2008-and-windows-vista.aspx http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx Regards, Yan Li TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Yan Li TechNet Community Support