The following forum(s) have migrated to Microsoft Q&A: All English Windows Server forums!
Visit Microsoft Q&A to post new questions.
https://docs.microsoft.com/en-us/answers/products/windows
Windows Server General
What does it mean when the service name field equals to 'krbtgt' in Event_id 4769?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous
'threat-protection'
According to the discription of Event_id 4768 and 4769,
It's normal when the service name field equals to 'krbtgt\xxxx' in Event_id 4768, because TGS will recognize the ‘krbtgt’ to response ST.
But what does it mean when the service name field equals to 'krbtgt' in Event_id 4769? Is it normal or anomaly? Is it normal when 'krbtgt' account being accessed? In my opinion, the service name field in 4769 will mean the service that client account_name is requesting for, like host$, smb, cifs, etc.
Log like this:
04/11/2023 01:18:33 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4769
EventType=0
Type=Information
ComputerName=CCJSHDJS0021.xxxx.x****
TaskCategory=Kerberos Service Ticket Operations
OpCode=Info
RecordNumber=321322275432
Keywords=Audit Success
Message=A Kerberos service ticket was requested.
Account Information:
Account Name: CDJSD123P$@xxxx.x\*\*\*\*
Account Domain: xxxx.x\*\*\*\*
Logon GUID: {17262sss79-9F6-DEss6-7s8D-0Asssss912}
Service Information:
Service Name: **krbtgt**
Service ID: **xxxx\krbtgt**
Network Information:
Client Address: 10.13.8.6
Client Port: 56614
Additional Information:
Ticket Options: 0x40810010
Ticket Encryption Type: 0x12
Failure Code: 0x0
Transited Services:
Windows for home | Previous Windows versions | Security and privacy
Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.
2 answers
Sort by: Most helpful
-
Anonymous
2023-04-11T21:29:38+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 44%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
LemP 74,925 Reputation points Volunteer Moderator2023-04-11T21:26:21+00:00 The KRBTGT service is related to security for Active Directory on a server.
Questions about this topic are beyond the scope of this consumer-oriented forum.
Try asking here: https://techcommunity.microsoft.com/t5/windows-server/ct-p/Windows-Server