event id 4768

MikeO 11 Reputation points
2022-07-06T18:29:49.5+00:00

I am running a exchange 2016 server and have 2012 r2 DC
recently we noticed in our AD-Audit software the event ID 4768 is getting logged on the DC from the mail server
the error is below the part that is confusing that I can't find much info on is the username is host every time. there are no services running under a user account and the task scheduler does not have any failures, the error code 0x6 whih obviously I dont have a user named host on my domain

how would I go about diagnosing where this i coming from

<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-07-06T15:38:04.014594200Z" />
<EventRecordID>15928985328</EventRecordID>
<Correlation />
<Execution ProcessID="604" ThreadID="1268" />
<Channel>Security</Channel>
<Computer>DC</Computer>
<Security />
</System>

  • <EventData>
    <Data Name="TargetUserName">host</Data>
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,709 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,208 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,681 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
504 questions
{count} votes

9 answers

Sort by: Most helpful
  1. MikeO 11 Reputation points
    2022-07-06T19:08:48.313+00:00

    I believe that the error on the mail server is event id 4625 with schannel being the culprit

    0 comments No comments

  2. Amit Singh 4,766 Reputation points
    2022-07-07T10:26:10.627+00:00

    Have you checked their credential manager to see if anything was stored in there?

    You can use the Process Monitor and check if any custom service was querying the certificate.

    4768 - The event will be generated when the user logon or some applications which need Kerberos authentication.

    Check this earlier discussion as well:
    https://social.technet.microsoft.com/Forums/windows/en-US/a7402757-375f-4ff1-90c7-de11cc579da4/event-id-4768?forum=winserver8gen
    Also, check the response from Microsoft Support - https://social.technet.microsoft.com/Forums/en-US/0cc005a4-0495-4f94-8cda-ad08450de60f/an-account-failed-to-log-on-unknown-username-or-password-causing-login-audit-failures?forum=smallbusinessserver

    0 comments No comments

  3. Limitless Technology 39,181 Reputation points
    2022-07-11T13:28:10.497+00:00

    Hi there,

    This problem can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user's password has expired, or the wrong password was provided.

    Security Monitoring Recommendations https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768#security-monitoring-recommendations

    All 4768 events with Client Port field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection.

    I hope this information helps. If you have any questions please let me know and I will be glad to help you out.

    ---------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

  4. Andrei Vlaic 1 Reputation point
    2022-07-12T15:50:55.22+00:00

    Have you installed the latest CU23 recently? We do see similar issues but we are not sure what is causing them yet.

    0 comments No comments

  5. TheAppGuru 1 Reputation point
    2022-07-16T12:21:50.067+00:00

    Do you have the June 2022 update such as KB5014742 or May OOB update KB5014987 for authentication issues installed?

    We are having the same issue in our environment and it started after a reboot from the June update which included the fix from the May OOB update.

    Uninstalled the June update and the errors seemed to have ceased.

    We also installed Exchange 2016 CU23 and the May 2022 security update, and are seeing random Outlook password prompts but wondering if that was related to the 4768 errors.

    I took a packet capture and viewed the Kerberos packets with the account name host. There are two SNameStrings in the packet, one contains “host” and one contains a server name. Comparing this to other KRB packets usually it contains the username and domain.

    I’m wondering if there’s an undocumented change in these updates or a some bug was introduced.

    0 comments No comments