Hi @Mirit Sadon
To work around this issue kindly follow the steps provided below.
- Press Start, search for, and open the Group Policy Management Console, or run the command gpmc.msc.
- Right-click on the domain or organizational unit (OU) that you want to audit, and click on Create a GPO in this domain, and Link it here.
- Name the Group Policy Object (GPO) as appropriate.
- Right-click on the newly created or already existing GPO, and choose Edit.
- In the Group Policy Management Editor, on the left pane, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Logon.
- In the right pane, you will see a list of policies that are under Account Logon. Double-click on Audit Kerberos Authentication Service, and check the boxes labeled Configure the following audit events:, Success, and Failure.
- Perform the same actions for the policy Audit Kerberos Service Ticket Operations.
- Click on Apply, and then click on OK.
- Go back to the Group Policy Management Console, and on the left pane, right-click the OU in which the GPO was linked, and click on Group Policy Update. This step ensures that the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.
*Steps to view Kerberos authentication events using Event Viewer
Once the above steps are complete, Kerberos authentication events will be stored in the event log. These events can be viewed in the Event Viewer by performing the following actions on the domain controller (DC):
- Press Start, search for Event Viewer, and click to open it.
- In the Event Viewer window, on the left pane, navigate to Windows log ⟶ Security.
- Here, you will find a list of all the Security Events that are logged in the system.
- On the right pane, under Security, click on Filter Current Log.
- n the pop-up window, enter the desired Event ID*, as referenced in the table below, in the field labeled <All Event IDs>.
- Click on OK. This will provide you with a list of occurrences of that Event ID.
- Double-click on the Event ID to view its Properties.
--
If the Answer is helpful, please click "Accept Answer" and upvote it.