ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying Kerberos authentication security logs on a domain controller monitoring station
Event ID 4768InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4768 – Microsoft-Windows-Security-Auditing: Kerberos Authentication Ticket (TGT) Requested

Event ID 4768 logs when a user or service requests a Kerberos Ticket Granting Ticket (TGT) from a domain controller during authentication.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4768Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4768 represents the core of Kerberos authentication logging in Windows Active Directory environments. When a user logs into a domain-joined computer, the first authentication step involves requesting a TGT from the domain controller's KDC service. This request generates a 4768 event containing detailed information about the authentication attempt.

The event captures both successful and failed TGT requests, making it invaluable for security monitoring and troubleshooting. Failed attempts often indicate password issues, account lockouts, time synchronization problems, or potential brute force attacks. The event includes the requesting account name, client IP address, encryption types supported by the client, and specific result codes that help diagnose authentication failures.

In modern Windows environments, 4768 events can generate significant log volume, especially in large organizations with frequent authentication activity. Domain controllers may log thousands of these events per hour during peak usage periods. The event structure includes fields for account information, network details, authentication options, and failure codes that provide comprehensive visibility into the authentication process.

Security teams leverage 4768 events for threat detection, focusing on patterns like multiple failed attempts from single IP addresses, authentication attempts outside business hours, or requests for high-privilege accounts. The event also supports compliance requirements by providing an audit trail of all authentication attempts against the domain.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User logging into a domain-joined computer or server
  • Service account requesting authentication for automated processes
  • Computer account authenticating during startup or scheduled tasks
  • Application requesting Kerberos authentication to access domain resources
  • Password change operations requiring re-authentication
  • Failed authentication attempts due to incorrect passwords
  • Account lockout scenarios preventing successful TGT requests
  • Time synchronization issues between client and domain controller
  • Kerberos policy violations or encryption type mismatches
  • Network connectivity problems during authentication attempts
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific 4768 event details to understand the authentication context and identify any failure codes.

  1. Open Event Viewer on the domain controller
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4768 using Filter Current Log
  4. Double-click a 4768 event to view detailed information
  5. Review key fields:
    • Account Name: The requesting user or service account
    • Account Domain: Domain of the requesting account
    • Client Address: IP address of the authentication request
    • Result Code: Success (0x0) or specific failure code
    • Ticket Encryption Type: Encryption method used
    • Pre-Authentication Type: Authentication method employed
  6. For failed attempts, note the Failure Code and Sub Status values
  7. Cross-reference the timestamp with user reports or system events
Pro tip: Common failure codes include 0x6 (bad username), 0x12 (account disabled), 0x17 (password expired), and 0x18 (account locked out).
02

Query Events with PowerShell Filtering

Use PowerShell to efficiently query and analyze 4768 events across multiple domain controllers or time periods.

  1. Open PowerShell as Administrator on a domain controller
  2. Query recent 4768 events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4768} -MaxEvents 100 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter for failed authentication attempts:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4768} | Where-Object {$_.Message -like '*0x*' -and $_.Message -notlike '*0x0*'} | Select-Object TimeCreated, Message
  4. Search for specific user account activity:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4768; StartTime=(Get-Date).AddHours(-24)}
$Events | Where-Object {$_.Message -like '*AccountName*username*'} | Format-Table TimeCreated, Message -Wrap
  5. Analyze authentication patterns by IP address:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4768; StartTime=(Get-Date).AddDays(-1)}
$Events | ForEach-Object { if($_.Message -match 'Client Address:\s+::ffff:([0-9.]+)') { $matches[1] } } | Group-Object | Sort-Object Count -Descending
  6. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4768; StartTime=(Get-Date).AddDays(-7)} | Export-Csv -Path "C:\Temp\Kerberos_TGT_Events.csv" -NoTypeInformation
Warning: Querying large numbers of security events can impact domain controller performance. Use time filters and limit results appropriately.
03

Configure Advanced Audit Policies

Optimize Kerberos authentication logging by configuring advanced audit policies to capture the right level of detail without overwhelming the Security log.

  1. Open Group Policy Management Console on a domain controller
  2. Edit the Default Domain Controllers Policy or create a new GPO
  3. Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  4. Expand Account Logon and configure:
    • Audit Kerberos Authentication Service: Enable Success and Failure
    • Audit Kerberos Service Ticket Operations: Enable as needed
  5. Use PowerShell to verify current audit settings:
    auditpol /get /subcategory:"Kerberos Authentication Service"
  6. Configure audit policy via command line if needed:
    auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
  7. Monitor Security log size and configure appropriate retention:
    Get-WinEvent -ListLog Security | Select-Object LogName, FileSize, MaximumSizeInBytes, RecordCount
  8. Consider implementing log forwarding to a SIEM system for centralized analysis
Pro tip: In high-volume environments, consider enabling only failure auditing for 4768 events to reduce log noise while maintaining security visibility.
04

Troubleshoot Kerberos Authentication Failures

Systematically diagnose and resolve common Kerberos authentication issues identified through 4768 event analysis.

  1. Identify the specific failure code from the 4768 event details
  2. Check time synchronization between client and domain controller:
    w32tm /query /status
w32tm /resync /rediscover
  3. Verify account status and properties:
    Get-ADUser -Identity username -Properties AccountLockoutTime, PasswordExpired, PasswordLastSet, LastLogonDate
  4. Test Kerberos functionality from the client:
    klist purge
klist tgt
  5. Check supported encryption types:
    Get-ADUser -Identity username -Properties msDS-SupportedEncryptionTypes
  6. Review Kerberos policy settings:
    Get-ADDefaultDomainPasswordPolicy
Get-ADDomainController | Get-ADObject -Properties msDS-KrbTgtLinkBl
  7. Validate DNS resolution for the domain controller:
    nslookup -type=SRV _kerberos._tcp.domain.com
Test-NetConnection -ComputerName dc.domain.com -Port 88
  8. Enable Kerberos logging for detailed troubleshooting:
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v LogLevel /t REG_DWORD /d 1 /f
Warning: Enabling detailed Kerberos logging can generate significant log volume and should only be used temporarily for troubleshooting.
05

Implement Security Monitoring and Alerting

Establish proactive monitoring of 4768 events to detect security threats and authentication anomalies in real-time.

  1. Create a PowerShell script for continuous monitoring:
    # Monitor for suspicious authentication patterns
$StartTime = (Get-Date).AddMinutes(-5)
$FailedEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4768; StartTime=$StartTime} | Where-Object {$_.Message -notlike '*0x0*'}

if ($FailedEvents.Count -gt 10) {
    # Alert on high failure rate
    Write-EventLog -LogName Application -Source "Security Monitor" -EventId 1001 -Message "High Kerberos failure rate detected: $($FailedEvents.Count) failures in 5 minutes"
}
  2. Set up Windows Task Scheduler to run the monitoring script every 5 minutes
  3. Configure Event Viewer custom views for quick analysis:
    • Create a custom view filtering for Event ID 4768 with failure codes
    • Save the view as "Kerberos Authentication Failures"
  4. Implement log forwarding using Windows Event Forwarding (WEF):
    # On collector server
wecutil qc
wecutil cs subscription.xml
  5. Create subscription XML for 4768 events:
    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
  <SubscriptionId>KerberosAuth</SubscriptionId>
  <Query>
    <![CDATA[<QueryList><Query Id="0"><Select Path="Security">*[System[EventID=4768]]</Select></Query></QueryList>]]>
  </Query>
</Subscription>
  6. Monitor for specific attack patterns:
    • Multiple failures from single IP addresses
    • Authentication attempts for disabled accounts
    • Off-hours authentication for privileged accounts
    • Unusual encryption type requests
  7. Integrate with SIEM solutions for advanced correlation and alerting
Pro tip: Establish baseline authentication patterns during normal business hours to better identify anomalous activity in 4768 events.

Overview

Event ID 4768 fires every time a user, computer, or service account requests a Kerberos Ticket Granting Ticket (TGT) from a domain controller. This event is fundamental to Active Directory authentication and appears in the Security log on domain controllers. The TGT request is the first step in Kerberos authentication, where the client proves its identity to the Key Distribution Center (KDC) and receives a ticket that can be used to request service tickets.

This event generates massive volumes on busy domain controllers since every authentication attempt creates a 4768 entry. The event contains critical forensic information including the requesting account, client IP address, encryption types used, and authentication result codes. Security teams monitor this event for failed authentication attempts, unusual login patterns, and potential credential attacks.

Understanding 4768 events is essential for Active Directory troubleshooting, security monitoring, and compliance auditing. The event provides visibility into authentication flows and helps identify issues with Kerberos configuration, time synchronization problems, and account lockout scenarios.

Frequently Asked Questions

What does Event ID 4768 mean and when does it occur?+
Event ID 4768 indicates that a Kerberos Ticket Granting Ticket (TGT) was requested from a domain controller. This event occurs every time a user, computer, or service account attempts to authenticate to the Active Directory domain. It's the first step in the Kerberos authentication process and appears in the Security log on domain controllers. The event captures both successful and failed authentication attempts, providing detailed information about the requesting account, client IP address, and authentication result codes.
How can I distinguish between successful and failed 4768 events?+
Successful 4768 events show a Result Code of 0x0 in the event details, while failed attempts display specific error codes that indicate the failure reason. Common failure codes include 0x6 (bad username), 0x12 (account disabled), 0x17 (password expired), and 0x18 (account locked out). You can filter for failed events in PowerShell using: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4768} | Where-Object {$_.Message -like '*0x*' -and $_.Message -notlike '*0x0*'}. The Sub Status field provides additional context for authentication failures.
Why am I seeing thousands of 4768 events on my domain controller?+
High volumes of 4768 events are normal in Active Directory environments because every authentication attempt generates this event. This includes user logins, computer account authentications, service account requests, and application authentications. In busy environments, domain controllers can log thousands of these events per hour. To manage log volume, consider filtering for failure events only, implementing log forwarding to a central location, or increasing the Security log size. You can also use advanced audit policies to fine-tune what gets logged while maintaining security visibility.
What should I do if I see repeated 4768 failures from the same IP address?+
Repeated 4768 failures from a single IP address may indicate a brute force attack, misconfigured application, or user with authentication issues. First, identify the source IP and determine if it's internal or external. Check the account names being targeted and the specific failure codes. For legitimate issues, verify account status, password expiration, and time synchronization. For potential attacks, consider implementing account lockout policies, IP blocking, or additional monitoring. Use PowerShell to analyze patterns: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4768} | Where-Object {$_.Message -like '*ClientAddress*IP_ADDRESS*'} to track all attempts from that source.
How can I use 4768 events for security monitoring and compliance?+
Event ID 4768 provides excellent visibility for security monitoring and compliance auditing. Monitor for suspicious patterns like authentication attempts outside business hours, multiple failures for privileged accounts, or requests from unusual IP addresses. Create automated alerts for high failure rates or specific account targeting. For compliance, 4768 events provide an audit trail of all authentication attempts, supporting requirements for access logging and security monitoring. Implement log forwarding to a SIEM system for correlation with other security events, and establish baseline authentication patterns to identify anomalies. Regular analysis of 4768 events helps detect credential attacks, account compromise, and policy violations.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Kerberos authentication logginghttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies in Windows environmentshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4768#kerberos-authentication#active-directory

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...