Active Directory Cross-forest authentication & EventID 4776 "The specified account does not exist"

Question

Let's say we have forestA and forestB. There is 2-way transitive trust between these forests.

A service tries to authenticate a user residing in forestB against a DC in forestA. This results in an authentication failure: EventID 4776 "The specified account does not exist" on the DC in forestA and (at the same time) a successful authentication on the DC in forestB. The service is successfully authenticated.

Is this normal behavior? The end result is a lot of unnecessary failed authentication events on the DC in forestA.

Answer 1

Hello Tim-1789,

Thank you for posting in Q&A forum.

authentication failure: EventID 4776 "The specified account does not exist" on the DC in forestA

A1: Event ID 4776 means NTLM authentication. This event generates every time that a credential validation occurs using NTLM authentication.

*
(at the same time) a successful authentication on the DC in forestB. The service is successfully authenticated.*
A2: Please check if the related successful event ID is 4771 (Kerberos authentication).

A service tries to authenticate a user residing in forestB against a DC in forestA

A3: I understand only Domain Controller in Forest B can authenticate the account in forest B.

4771(F): Kerberos pre-authentication failed.

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771

4776(S, F): The computer attempted to validate the credentials for an account.

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4776

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.