ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying Kerberos authentication events in Event Viewer
Event ID 4769InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4769 – Microsoft-Windows-Security-Auditing: Kerberos Service Ticket Requested

Event ID 4769 logs when a Kerberos service ticket is requested from a domain controller. This security audit event tracks authentication attempts to network services and resources.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4769Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4769 represents a fundamental component of Windows domain security logging. When a user or service attempts to access a network resource protected by Kerberos authentication, the client must request a service ticket from the domain controller. This request generates the 4769 event, providing administrators with detailed visibility into authentication activity across the domain.

The event contains extensive information including the account name making the request, the service principal name (SPN) being accessed, the client's IP address, authentication protocol details, and the result code. Success events (Result Code 0x0) indicate normal authentication flow, while failure codes reveal potential security issues or misconfigurations.

In modern Windows environments running 2025 and later versions, Microsoft has enhanced the event structure to include additional context for cloud-hybrid scenarios and improved correlation with Azure AD authentication events. The event integrates with Windows Defender for Identity and Microsoft Sentinel for advanced threat detection, making it a cornerstone of enterprise security monitoring strategies.

Understanding 4769 patterns helps identify compromised accounts, detect lateral movement attempts, and validate service account usage. The event's frequency and content make it both valuable for security analysis and challenging to manage without proper filtering and analysis tools.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User accessing network file shares or mapped drives
  • Applications connecting to SQL Server, Exchange, or other Kerberos-enabled services
  • Service accounts authenticating to backend systems
  • Web applications using integrated Windows authentication
  • PowerShell remoting or WinRM connections
  • Scheduled tasks running under domain accounts
  • Failed authentication attempts due to expired passwords or locked accounts
  • Clock skew between client and domain controller exceeding tolerance
  • Service Principal Name (SPN) misconfigurations
  • Potential security attacks like Kerberoasting or credential stuffing
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific 4769 event details to understand the authentication context.

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4769 using Filter Current Log
  3. Double-click a recent 4769 event to view details
  4. Key fields to examine:
    • Account Name: User or service account making the request
    • Service Name: Target service being accessed
    • Client Address: Source IP of the authentication request
    • Failure Code: 0x0 for success, other codes indicate specific failures
    • Ticket Options: Kerberos flags and encryption types
  5. Note the timestamp and frequency of events from the same account

Use this PowerShell command to quickly extract recent 4769 events:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} -MaxEvents 50 | Select-Object TimeCreated, Id, @{Name='Account';Expression={$_.Properties[0].Value}}, @{Name='ServiceName';Expression={$_.Properties[1].Value}}
02

Analyze Authentication Patterns with PowerShell

Use PowerShell to identify unusual authentication patterns or potential security issues.

  1. Extract and analyze 4769 events for suspicious activity:
# Get failed Kerberos service ticket requests
$FailedAuth = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} -MaxEvents 1000 | Where-Object {$_.Properties[8].Value -ne '0x0'}

# Group by account to identify accounts with high failure rates
$FailedAuth | Group-Object {$_.Properties[0].Value} | Sort-Object Count -Descending | Select-Object Name, Count

# Check for unusual service access patterns
$ServiceTickets = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} -MaxEvents 500
$ServiceTickets | Group-Object {$_.Properties[1].Value} | Sort-Object Count -Descending | Select-Object Name, Count
  1. Look for these suspicious patterns:
    • High volumes of failed requests from single accounts
    • Unusual service access outside normal business hours
    • Service ticket requests for sensitive services from unexpected accounts
    • Rapid-fire authentication attempts indicating automated attacks
  2. Cross-reference with Event ID 4768 (TGT requests) for complete authentication flow
03

Configure Advanced Audit Policies

Optimize Kerberos auditing settings to capture relevant events while managing log volume.

  1. Open Group Policy Management Console and navigate to the domain controller OU
  2. Edit the Default Domain Controllers Policy
  3. Navigate to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  4. Configure Audit Kerberos Service Ticket Operations:
    • Success: Enable for normal authentication tracking
    • Failure: Enable for security monitoring
  5. Use PowerShell to configure audit settings programmatically:
# Enable Kerberos service ticket auditing
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable

# Verify current audit settings
auditpol /get /subcategory:"Kerberos Service Ticket Operations"
  1. Consider enabling Audit Kerberos Authentication Service for comprehensive Kerberos monitoring
  2. Apply policy and run gpupdate /force on domain controllers
Pro tip: In high-volume environments, consider filtering 4769 events at the collection level to focus on failures and sensitive service access only.
04

Investigate Service Principal Name Issues

Resolve SPN-related authentication failures that generate 4769 error events.

  1. Identify SPN-related failures by checking failure codes in 4769 events
  2. Common SPN failure codes:
    • 0x7: KDC_ERR_S_PRINCIPAL_UNKNOWN (SPN not found)
    • 0x25: KDC_ERR_INTEGRITY (encryption/integrity failure)
  3. Use setspn to diagnose SPN issues:
# List all SPNs for a service account
setspn -L DOMAIN\ServiceAccount

# Check for duplicate SPNs across the domain
setspn -X

# Find SPNs registered to a specific service
setspn -Q HTTP/webserver.domain.com
  1. Resolve SPN issues:
    • Register missing SPNs: setspn -A HTTP/server.domain.com DOMAIN\ServiceAccount
    • Remove duplicate SPNs: setspn -D HTTP/server.domain.com DOMAIN\WrongAccount
  2. Verify SPN resolution using:
# Test Kerberos authentication to a specific service
klist get HTTP/webserver.domain.com

# Clear Kerberos ticket cache if needed
klist purge
Warning: Incorrect SPN modifications can break service authentication. Always test SPN changes in a non-production environment first.
05

Implement Security Monitoring and Alerting

Set up automated monitoring for 4769 events to detect security threats and authentication issues.

  1. Create custom Event Viewer views for security monitoring:
  2. In Event Viewer, right-click Custom ViewsCreate Custom View
  3. Configure filter criteria:
    • Event logs: Security
    • Event IDs: 4769
    • Keywords: Audit Failure (for failed authentications)
  4. Use PowerShell to create automated monitoring scripts:
# Monitor for Kerberoasting attempts (RC4 encryption requests)
$KerberoastingEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} -MaxEvents 100 | Where-Object {
    $_.Properties[7].Value -match '0x17' # RC4-HMAC encryption
}

# Alert on high-volume authentication from single source
$RecentEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769; StartTime=(Get-Date).AddHours(-1)}
$HighVolumeIPs = $RecentEvents | Group-Object {$_.Properties[6].Value} | Where-Object {$_.Count -gt 100}

if ($HighVolumeIPs) {
    Write-Warning "High volume Kerberos requests detected from: $($HighVolumeIPs.Name -join ', ')"
}
  1. Configure Windows Event Forwarding (WEF) to centralize 4769 events:
  2. On collector server, enable WinRM: winrm quickconfig
  3. Create subscription for 4769 events from domain controllers
  4. Integrate with SIEM solutions like Microsoft Sentinel or Splunk for advanced analytics
Pro tip: Focus monitoring on failed 4769 events and successful events with RC4 encryption, as these often indicate security concerns in modern environments.

Overview

Event ID 4769 fires whenever a client requests a Kerberos service ticket (TGS) from a domain controller. This event is part of Windows security auditing and appears in the Security log when Kerberos authentication occurs for accessing network resources like file shares, SQL servers, or web applications.

The event captures critical authentication details including the requesting user account, target service, client IP address, and authentication result. Domain controllers generate this event during the second phase of Kerberos authentication, after the initial TGT (Ticket Granting Ticket) has been obtained.

This event is essential for security monitoring, compliance auditing, and troubleshooting authentication issues. High volumes of 4769 events are normal in Active Directory environments, but specific patterns can indicate security concerns like credential stuffing attacks, service account misuse, or authentication failures that require investigation.

Frequently Asked Questions

What does Event ID 4769 mean and when does it occur?+
Event ID 4769 indicates that a Kerberos service ticket (TGS) was requested from a domain controller. This occurs during the second phase of Kerberos authentication when a client needs to access a specific network service after already obtaining a Ticket Granting Ticket (TGT). The event fires for both successful and failed service ticket requests, providing detailed information about the requesting account, target service, client IP address, and authentication result. This is a normal part of domain authentication and will appear frequently in Active Directory environments.
How can I distinguish between normal 4769 events and potential security threats?+
Focus on several key indicators to identify suspicious 4769 activity: failed authentication attempts (non-zero failure codes), especially when clustered from single accounts or IP addresses; requests using weak encryption like RC4-HMAC which may indicate Kerberoasting attacks; unusual service access patterns outside normal business hours; high-volume rapid-fire requests suggesting automated attacks; and service ticket requests for sensitive services from unexpected user accounts. Normal 4769 events show success codes (0x0), use modern encryption (AES), and follow predictable patterns based on user work schedules and application access patterns.
What are the most common failure codes in Event ID 4769 and what do they mean?+
The most common 4769 failure codes include: 0x6 (KDC_ERR_C_PRINCIPAL_UNKNOWN) indicating the client account doesn't exist or is disabled; 0x7 (KDC_ERR_S_PRINCIPAL_UNKNOWN) meaning the requested service principal name (SPN) is not registered; 0x18 (KDC_ERR_CLIENT_REVOKED) showing the client account is disabled or locked; 0x20 (KDC_ERR_TKT_EXPIRED) indicating the TGT has expired; and 0x25 (KDC_ERR_INTEGRITY) suggesting encryption or integrity check failures. Understanding these codes helps quickly diagnose whether authentication failures are due to account issues, service misconfigurations, or potential security attacks.
How do I reduce the volume of 4769 events in high-traffic environments?+
To manage 4769 event volume, implement selective auditing by configuring Group Policy to audit only failures for routine services while maintaining success auditing for sensitive services. Use Event Log subscriptions to forward only critical 4769 events to central collectors. Configure log retention policies to balance compliance requirements with storage constraints. Consider filtering at the SIEM level to focus on security-relevant events like failed authentications, RC4 encryption usage, and access to high-value services. You can also exclude routine service accounts from auditing if their authentication patterns are well-understood and monitored through other means.
Can Event ID 4769 help detect Kerberoasting attacks?+
Yes, Event ID 4769 is crucial for detecting Kerberoasting attacks. Look for service ticket requests that specify RC4-HMAC encryption (ticket option 0x17) instead of the default AES encryption, as attackers often request RC4 tickets because they're easier to crack offline. Monitor for unusual patterns like requests for service accounts that typically aren't accessed by the requesting user, high volumes of service ticket requests in short time periods, and requests for SPNs associated with high-privilege service accounts. Combine 4769 analysis with 4768 (TGT requests) to identify accounts that obtain TGTs and then immediately request multiple service tickets, which is characteristic of Kerberoasting reconnaissance and attack phases.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Kerberos authentication monitoringhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies including Kerberos service ticket operationshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4769#kerberos-authentication#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...