Question on Advanced Threat Analytics

Question

Question on Advanced Threat Analytics

Yao Lu 40

We're using SSO inside the org and still using on-premise ATA to monitor the alert of on-premise AD.

I logged into a server before in the office, and didn't log out. Today I worked from home and connected with our VPN, then I received an alert from ATA as following:

User's image

The error report indicates PreauthenticationRequired for krbtgt/(domain name). I wonder what the possible reason is.

Thank you.

Accepted answer

1 additional answer

Your answer

Answer 1

Thameur-BOURBITA 36,251

Hi @Yao Lu

I think you get this alert because the option "Do not require Kerberos preauthentication" is set on your account and when you connected without logout before, you used the kerberos ticket in the cache instead new kerberos ticket to preauthenticate to your domain.

Try to logout and logon and if you don't get the same error your can neglect it.

Please don't forget to accept helpful answer

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Thameur-BOURBITA 36,251 Reputation points

2024-01-12T21:26:37.1866667+00:00

@Yao Lu Just checking if there is any progress.

---Please don't forget to accept helpful answer

Answer 2

Daisy Zhou 32,421 Microsoft External Staff

Hello Yao Lu,

Thank you for posting in Q&A forum.

Please check if you can see event ID 4771 on one of the Domain Controllers with the same timestamp as the alert above.

4771(F): Kerberos pre-authentication failed.

This event (event ID 4771) is not generated if "Do not require Kerberos preauthentication" option is set for the account.

You can check if your account set this option.
Untitled

4771(F): Kerberos pre-authentication failed.

https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771

If you have any question or concern, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Yao Lu 40 Reputation points

2024-01-03T04:57:44.7733333+00:00

Hi Daisy,

Thank you for your information.

Today is our first working day, and we see several similar alerts, related to different in-production servers in our environment. We're not sure if they are threats.

I learned that 'Kerberos preauthentication is a security feature within Kerberos that helps prevent password-guessing attacks', however, our staff (include myself) didn't change their passwords recently, input the correct password when connected to our VPN, and didn't use a smart card logon.

So far, it looks like such alerts are only triggered when our staff are using VPN to connect to our org (work from home). I wonder if the reason is the IP ranges for our VPN are different from IP ranges in the office, so when subjects present the cached TGT to request tickets to access objects, (preauthentication) failure happens...

('A TGT includes a symmetric key, an expiration time, and the user’s IP address')

Thanks again.

Yao Lu

Share via

Question on Advanced Threat Analytics

1 additional answer

Your answer