Windows Server Essentials Experience and Event 4768 on 2012 R2 Domain Controller

I have a Server 2012 R2 Standard Domain Controller with Windows Server Essentials Experience installed. I see that there are several scheduled tasks associated with WSE. Two of them are set to run at the same time every 30 minutes. These are Alert Evaluations and Macintosh Status Report. When these tasks run, I get about 250 Audit Failure log entries in my security log with event ID 4768 with the comment that "A Kerberos authentication ticket (TGT) was requested." A sample log entry is below.

These events are creating thousands of what I assume are false positive logon failure reports every day and they make it hard for me to find actual logon failures. How can I prevent them from being generated? (Note: I am seeing other Audit Failure / Event ID 4768 entries here and there and would love to get rid of them all, but the only times I am bombarded with events is when the Alert Evaluations and/or Macintosh Status Report tasks are run.)

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/25/2015 12:11:54 AM
Event ID:      4768
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      ad1.ad.mydomain.com
Description:
A Kerberos authentication ticket (TGT) was requested.

Account Information:
Account Name: S-1-5-21-2541659492-2133024706-1076218658-1002
Supplied Realm Name: AD.MYDOMAIN.COM
User ID: NULL SID

Service Information:
Service Name: krbtgt/AD.MYDOMAIN.COM
Service ID: NULL SID

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: 0xFFFFFFFF
Pre-Authentication Type: -

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4768</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14339</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2015-08-25T04:11:54.401893100Z" />
    <EventRecordID>39022701</EventRecordID>
    <Correlation />
    <Execution ProcessID="748" ThreadID="4996" />
    <Channel>Security</Channel>
    <Computer>ad1.ad.mydomain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">S-1-5-21-2541659492-2133024706-1076218658-1002</Data>
    <Data Name="TargetDomainName">AD.MYDOMAIN.COM</Data>
    <Data Name="TargetSid">S-1-0-0</Data>
    <Data Name="ServiceName">krbtgt/AD.MYDOMAIN.COM</Data>
    <Data Name="ServiceSid">S-1-0-0</Data>
    <Data Name="TicketOptions">0x40810010</Data>
    <Data Name="Status">0x6</Data>
    <Data Name="TicketEncryptionType">0xffffffff</Data>
    <Data Name="PreAuthType">-</Data>
    <Data Name="IpAddress">::1</Data>
    <Data Name="IpPort">0</Data>
    <Data Name="CertIssuerName">
    </Data>
    <Data Name="CertSerialNumber">
    </Data>
    <Data Name="CertThumbprint">
    </Data>
  </EventData>
</Event>


August 25th, 2015 1:26am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics