Hello,
Thank you so much for posting here.
This event generates every time the Key Distribution Center fails to issue a Kerberos Ticket Granting Ticket (TGT). This problem can occur when a domain controller doesn’t have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user’s password has expired, or the wrong password was provided.
event ID 4771 (0x18) : KDC_ERR_PREAUTH_FAILED means "The wrong password was provided".
Reference: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4771
If we enter the wrong password, there will be recorded logs 4771. We are wondering whether there are lots of 4771 logs? Is the same account or client address logged on this event 4771?
As mentioned, there are 4771 logs, but no lockout. So the account still could be logged on at last, right?
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.