event id 4768

MikeO 11

I am running a exchange 2016 server and have 2012 r2 DC
recently we noticed in our AD-Audit software the event ID 4768 is getting logged on the DC from the mail server
the error is below the part that is confusing that I can't find much info on is the username is host every time. there are no services running under a user account and the task scheduler does not have any failures, the error code 0x6 whih obviously I dont have a user named host on my domain

how would I go about diagnosing where this i coming from

<EventID>4768</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2022-07-06T15:38:04.014594200Z" />
<EventRecordID>15928985328</EventRecordID>
<Correlation />
<Execution ProcessID="604" ThreadID="1268" />
<Channel>Security</Channel>
<Computer>DC</Computer>
<Security />
</System>

<EventData>
<Data Name="TargetUserName">host</Data>

Joyce Shen - MSFT 16,641 Reputation points

2022-07-07T02:34:08.793+00:00

Hi @MikeO

Windows event ID 4768 is generated every time the Key Distribution Center (KDC) attempts to validate credentials, and this event is logged on domain controllers only and both success and failure instances of this event are logged.

When the Result Code equals “0x6” (the username doesn't exist)，which means: Client not found in Kerberos database. Bad user name, or new computer/user account has not replicated to DC yet.

There are many possible causes for this "0x6", since we are not know much information about your environment, it's hard to determine the exact cause. It is also possible that the factors you mentioned below.

Some related links for your reference:
Windows Security Log Event ID 4768
Event ID 4768 (0x6)

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Joyce Shen - MSFT 16,641 Reputation points

2022-07-12T06:59:48.047+00:00

Hi @MikeO

Any update so far about this question?
Jeff Poblocki 21 Reputation points

2023-01-05T20:34:33.177+00:00

We are still having this same issue. Has anyone made any progress solving it? It is cluttering our audit logs.

9 answers

Brent Stobbs 21 Reputation points

2022-08-01T02:32:42.577+00:00

I am having the exact same issue and have done so for several months. Unfortunately I cannot remember exactly how many months, but it did start occurring after a Windows Update, I just didn't have the bandwidth to investigate it until now.

Exchange Server 2016 CU 21

Not sure what is related but here is what I have found so far.

Installed the following May Windows Updates (NB: There are no Exchange specific updates here):
2022-05 Servicing Stack Update for Windows Server 2016 for x64-based Systems (KB5014026)
2022-05 Cumulative Update for .NET Framework 4.8 for Windows Server 2016 for x64 (KB5013625)
2022-05 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5013952)

I started receiving a lot of logon failures for x509 CN=smtp.gmail.com...

Then Installed the June Windows Updates:
2022-06 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5014702)
2022-06 Cumulative Update for .NET Framework 4.8 for Windows Server 2016 for x64 (KB5014630)

The X509 Logon failures stopped, and instead I started getting "Host" Logon Failures the same as the OP in this thread
Please sign in to rate this answer.
Raymond Hellberg 1 Reputation point

2022-08-10T09:03:32.283+00:00

BrentStobbs: Chiming in with the exact same experience with Exchange 2019 CU12, fully patched. I've been tearing my hair out to find the reason to no avail, must be som bug. Packet capture MAY indicate that his is generated when our Exchange server talks with MS/cloud Exchange, but not 100% sure.

Angelo S. Cassano 0 Reputation points

2023-01-23T18:26:45.29+00:00

Same exact issue with Exchange 2016 CU23 starting with the X509 logon failures followed by Host logon failures after the updates were installed.
Sign in to comment
Greg G 1 Reputation point

2022-09-20T05:38:16.793+00:00

Same issue since the Mai update.. The result is an huge amount of logs for nothing... If someone as a trick!?
Please sign in to rate this answer.
William Fulmer 16 Reputation points

2023-02-10T14:37:51.93+00:00

@MikeO @Jeff Poblocki - Any updates to your issue? We have a customer experiencing the same.

Jeff Poblocki 21 Reputation points

2023-02-11T14:45:18.2166667+00:00

@William Fulmer Nope. Still experiencing this issue.
Sign in to comment
Giannis Kotanidis 0 Reputation points

2023-02-24T17:25:06.7033333+00:00

Hi

I am facing the same issue, has anyone found any solutions ?

We have updated Exchange from 2016 to 2019 and still the same.

This issue is from Exchange or AD ?

Thank you
Please sign in to rate this answer.
Dean Wake 0 Reputation points

2023-06-02T14:18:27.3866667+00:00

Has anyone found a fix for this issue
Sign in to comment
Rowan Swanepoel 0 Reputation points

2023-06-19T12:09:42.74+00:00

Hey there. Got the same issue with my environment. AD AuditPlus started freaking out over User: Null bad login creds, error 4625. Found out it was a health mailbox (after disabling them). This issue came up around October 2022's .net and monthly security updates.

Logged a case with Microsoft

Ended up being the cname mail.protection.outlook.com is not registered as an SPN (Service Principal Name) host for mail.protection.outlook.com. Recommend to verify the configuration of mail.protection.outlook.com for constrained delegation
Please sign in to rate this answer.
Jeff Poblocki 21 Reputation points

2023-06-20T14:37:16.27+00:00

Hi Rowan,

Thanks for the information on this. Would you be able to provide a little bit more detail on this? What account did you setup constrained delegation for? How did you setup constrained delegation for mail.protection.outlook.com?

I am not sure we are having the same issue as the "User" in this situation is "Host" not "Null". But I will try disabling the health mailboxes to see if that helps.

Thanks!

Jeff
Sign in to comment