This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 42%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
ello,
Can you explain that event log why this is happening? user changed password by himself and there is many logs like this:
how can i fix it? Many thanks
Kerberos pre-authentication failed
The domain controller attempted to validate the credentials for an account
Kerberos pre-authentication failed
The domain controller attempted to validate the credentials for an account
Kerberos pre-authentication failed
The domain controller attempted to validate the credentials for an account
Hi there,
What is the Event code that you get? If the credentials were successfully validated, the authenticating computer logs this event ID with the Result-Code field equal to “0x0”.
If the authenticating computer fails to validate the credentials, the same event ID 4776 is logged but with the Result-Code field not equal to “0x0”
This event generates every time that a credential validation occurs using NTLM authentication. The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.
You can read more about this in the below article. Problems with Kerberos authentication when a user belongs to many groups https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-authentication-problems-if-user-belongs-to-groups
4776(S, F): The computer attempted to validate the credentials for an account. https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776
-----------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–
Hello, thank you for your reply.
Event code is 4771. I can see in logs 0x18 that the authenticating computer fails to validate the credentials. I contacted the user if he has any issues with password.
(User claims that he changed the password yesterday) but i can see still a lot of attempts. I can't see any fails in azure ad.
logs are from WinEventLog:Security
Failed login count in one minute. Do you have any ideas why this is happening? this could be a security rick?
19/05/2022 07:41 hostname 57
19/05/2022 08:04 hostname 48
19/05/2022 08:06 hostname 44
19/05/2022 08:03 hostname 43
19/05/2022 07:51 hostname 40
19/05/2022 07:38 hostname 38
19/05/2022 07:55 hostname 38
19/05/2022 08:10 hostname 33
19/05/2022 08:01 hostname 30
19/05/2022 07:48 hostname 27
19/05/2022 07:15 hostname 22
19/05/2022 07:45 hostname 18
19/05/2022 07:31 hostname 14
19/05/2022 07:40 hostname 10
19/05/2022 07:42 hostname 8
19/05/2022 07:57 hostname 8
I am wondering if that could be because user is using network drive?
I found intresting video on YT and could it be worth flush cache?
klist purge
https://www.youtube.com/watch?v=wNSfFBhLywk&ab_channel=SMBitSimplified