Share via

What does it mean when the service name field equals to 'krbtgt' in Event_id 4769?

Anonymous
2023-04-11T05:14:08+00:00

'threat-protection'

According to the discription of Event_id 4768 and 4769,

It's normal when the service name field equals to 'krbtgt\xxxx' in Event_id 4768, because TGS will recognize the ‘krbtgt’ to response ST.

But what does it mean when the service name field equals to 'krbtgt' in Event_id 4769? Is it normal or anomaly? Is it normal when 'krbtgt' account being accessed? In my opinion, the service name field in 4769 will mean the service that client account_name is requesting for, like host$, smb, cifs, etc.

Log like this:

04/11/2023 01:18:33 PM

LogName=Security

SourceName=Microsoft Windows security auditing.

EventCode=4769

EventType=0

Type=Information

ComputerName=CCJSHDJS0021.xxxx.x****

TaskCategory=Kerberos Service Ticket Operations

OpCode=Info

RecordNumber=321322275432

Keywords=Audit Success

Message=A Kerberos service ticket was requested.

Account Information:

Account Name:		CDJSD123P$@xxxx.x\*\*\*\* 

Account Domain:		xxxx.x\*\*\*\* 

Logon GUID:		{17262sss79-9F6-DEss6-7s8D-0Asssss912} 

Service Information:

Service Name:		**krbtgt** 

Service ID:		**xxxx\krbtgt** 

Network Information:

Client Address:		10.13.8.6 

Client Port:		56614 

Additional Information:

Ticket Options:		0x40810010

Ticket Encryption Type:	0x12 

Failure Code:		0x0 

Transited Services:
Windows for home | Previous Windows versions | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments No comments

2 answers

Sort by: Most helpful
  1. Anonymous
    2023-04-11T21:29:38+00:00
    0 comments No comments
  2. LemP 74,925 Reputation points Volunteer Moderator
    2023-04-11T21:26:21+00:00

    The KRBTGT service is related to security for Active Directory on a server.

    Questions about this topic are beyond the scope of this consumer-oriented forum.

    Try asking here: https://techcommunity.microsoft.com/t5/windows-server/ct-p/Windows-Server

    0 comments No comments