event id 4768

Question

I am running a exchange 2016 server and have 2012 r2 DC
recently we noticed in our AD-Audit software the event ID 4768 is getting logged on the DC from the mail server
the error is below the part that is confusing that I can't find much info on is the username is host every time. there are no services running under a user account and the task scheduler does not have any failures, the error code 0x6 whih obviously I dont have a user named host on my domain

how would I go about diagnosing where this i coming from

<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-07-06T15:38:04.014594200Z" />
<EventRecordID>15928985328</EventRecordID>
<Correlation />
<Execution ProcessID="604" ThreadID="1268" />
<Channel>Security</Channel>
<Computer>DC</Computer>
<Security />
</System>

• <EventData>
  <Data Name="TargetUserName">host</Data>

Answer 1

I believe that the error on the mail server is event id 4625 with schannel being the culprit

Answer 2

Have you checked their credential manager to see if anything was stored in there?

You can use the Process Monitor and check if any custom service was querying the certificate.

4768 - The event will be generated when the user logon or some applications which need Kerberos authentication.

Check this earlier discussion as well:
https://social.technet.microsoft.com/Forums/windows/en-US/a7402757-375f-4ff1-90c7-de11cc579da4/event-id-4768?forum=winserver8gen
Also, check the response from Microsoft Support - https://social.technet.microsoft.com/Forums/en-US/0cc005a4-0495-4f94-8cda-ad08450de60f/an-account-failed-to-log-on-unknown-username-or-password-causing-login-audit-failures?forum=smallbusinessserver

Answer 3

Hi there,

This problem can occur when a domain controller doesn't have a certificate installed for smart card authentication (for example, with a “Domain Controller” or “Domain Controller Authentication” template), the user's password has expired, or the wrong password was provided.

Security Monitoring Recommendations https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768#security-monitoring-recommendations

All 4768 events with Client Port field value > 0 and < 1024 should be examined, because a well-known port was used for outbound connection.

I hope this information helps. If you have any questions please let me know and I will be glad to help you out.

---------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept it as an answer--

Answer 4

Have you installed the latest CU23 recently? We do see similar issues but we are not sure what is causing them yet.

Answer 5

Do you have the June 2022 update such as KB5014742 or May OOB update KB5014987 for authentication issues installed?

We are having the same issue in our environment and it started after a reboot from the June update which included the fix from the May OOB update.

Uninstalled the June update and the errors seemed to have ceased.

We also installed Exchange 2016 CU23 and the May 2022 security update, and are seeing random Outlook password prompts but wondering if that was related to the 4768 errors.

I took a packet capture and viewed the Kerberos packets with the account name host. There are two SNameStrings in the packet, one contains “host” and one contains a server name. Comparing this to other KRB packets usually it contains the username and domain.

I’m wondering if there’s an undocumented change in these updates or a some bug was introduced.