question

Pati-8143 avatar image
0 Votes"
Pati-8143 asked Pati-8143 answered

Event logs - The domain controller attempted to validate the credentials for an account

ello,

Can you explain that event log why this is happening? user changed password by himself and there is many logs like this:

how can i fix it? Many thanks

Kerberos pre-authentication failed

The domain controller attempted to validate the credentials for an account

Kerberos pre-authentication failed

The domain controller attempted to validate the credentials for an account

Kerberos pre-authentication failed

The domain controller attempted to validate the credentials for an account

windows-10-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered Pati-8143 published

Hi there,

What is the Event code that you get? If the credentials were successfully validated, the authenticating computer logs this event ID with the Result-Code field equal to “0x0”.

If the authenticating computer fails to validate the credentials, the same event ID 4776 is logged but with the Result-Code field not equal to “0x0”

This event generates every time that a credential validation occurs using NTLM authentication. The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.

You can read more about this in the below article. Problems with Kerberos authentication when a user belongs to many groups https://docs.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-authentication-problems-if-user-belongs-to-groups

4776(S, F): The computer attempted to validate the credentials for an account. https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776



--If the reply is helpful, please Upvote and Accept it as an answer–

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello, thank you for your reply.

Event code is 4771. I can see in logs 0x18 that the authenticating computer fails to validate the credentials. I contacted the user if he has any issues with password.
(User claims that he changed the password yesterday) but i can see still a lot of attempts. I can't see any fails in azure ad.

logs are from WinEventLog:Security

Failed login count in one minute. Do you have any ideas why this is happening? this could be a security rick?

19/05/2022 07:41 hostname 57
19/05/2022 08:04 hostname 48
19/05/2022 08:06 hostname 44
19/05/2022 08:03 hostname 43
19/05/2022 07:51 hostname 40
19/05/2022 07:38 hostname 38
19/05/2022 07:55 hostname 38
19/05/2022 08:10 hostname 33
19/05/2022 08:01 hostname 30
19/05/2022 07:48 hostname 27
19/05/2022 07:15 hostname 22
19/05/2022 07:45 hostname 18
19/05/2022 07:31 hostname 14
19/05/2022 07:40 hostname 10
19/05/2022 07:42 hostname 8
19/05/2022 07:57 hostname 8

0 Votes 0 ·
Pati-8143 avatar image
0 Votes"
Pati-8143 answered

I am wondering if that could be because user is using network drive?

I found intresting video on YT and could it be worth flush cache?

klist purge

https://www.youtube.com/watch?v=wNSfFBhLywk&ab_channel=SMBitSimplified

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.