I am getting security events of successful Kerberos logins to a domain controller (Event 4624)
Now my client reports that these events are processes running by the computer and not actual on site or VPN logins.
Is there a way to distinguish between Logins which are created by someone actively trying to connect either locally or through VPN or just trying to access a share on the network between a process doing so automatically?
As far as I recognized the network logon type happens anytime someone enters a share and not just processes. Is there maybe something I am missing which shows the origin of such a login?
I know there is a field considered as PROCESS NAME - but it arrives empty. Is that someting I could talk with my client about that he should configure on his side?
Some Technical Details -
Logon type: 3 - Network
Security ID: S-1-5-21-XXX-XXX-XXX-1575
Process ID: 0x0
Process Name: -
you need to view event id 4768 (432-263047680 in McAfee format..)
"A Kerberos authentication ticket (TGT) was requested"
and in the Pre Authentication Type" field = 2
(for "Smart Card" logins it will be = 15 to 17
First of all thank you for the quick and good reply,
Could you tell me if what you wrote is a way to find process logins or normal logins?
I understood how to do what was written I just didn't really understand what does it regard towards
for failed logins search for event id - 4771 or in the McAfee Format signater id - 43-263047710
"Kerberos pre-authentication failed"
to be sure it's a interactive login check the Pre-Authentication Type: 2
if you would like to know what the reason of the failer check the "Failer code" in the row packet
below is the entire table of failng reasons with the code:
|Result code||Kerberos RFC description||Notes on common failure codes|
|0x1||Client's entry in database has expired|
|0x2||Server's entry in database has expired|
|0x3||Requested protocol version # not supported|
|0x4||Client's key encrypted in old master key|
|0x5||Server's key encrypted in old master key|
|0x6||Client not found in Kerberos database||Bad user name, or new computer/user account has not replicated to DC yet|
|0x7||Server not found in Kerberos database||New computer account has not replicated yet or computer is pre-w2k|
|0x8||Multiple principal entries in database|
|0x9||The client or server has a null key||administrator should reset the password on the account|
|0xA||Ticket not eligible for postdating|
|0xB||Requested start time is later than end time|
|0xC||KDC policy rejects request||Workstation restriction|
|0xD||KDC cannot accommodate requested option|
|0xE||KDC has no support for encryption type|
|0xF||KDC has no support for checksum type|
|0x10||KDC has no support for padata type|
|0x11||KDC has no support for transited type|
|0x12||Clients credentials have been revoked||Account disabled, expired, locked out, logon hours.|
|0x13||Credentials for server have been revoked|
|0x14||TGT has been revoked|
|0x15||Client not yet valid - try again later|
|0x16||Server not yet valid - try again later|
|0x17||Password has expired||The user’s password has expired.|
|0x18||Pre-authentication information was invalid||Usually means bad password|
|0x19||Additional pre-authentication required*|
|0x1F||Integrity check on decrypted field failed|
|0x20||Ticket expired||Frequently logged by computer accounts|
|0x21||Ticket not yet valid|
|0x21||Ticket not yet valid|
|0x22||Request is a replay|
|0x23||The ticket isn't for us|
|0x24||Ticket and authenticator don't match|
|0x25||Clock skew too great||Workstation’s clock too far out of sync with the DC’s|
|0x26||Incorrect net address||IP address change?|
|0x27||Protocol version mismatch|
|0x28||Invalid msg type|
|0x29||Message stream modified|
|0x2A||Message out of order|
|0x2C||Specified version of key is not available|
|0x2D||Service key not available|
|0x2E||Mutual authentication failed||may be a memory allocation failure|
|0x2F||Incorrect message direction|
|0x30||Alternative authentication method required*|
|0x31||Incorrect sequence number in message|
|0x32||Inappropriate type of checksum in message|
|0x3C||Generic error (description in e-text)|
|0x3D||Field is too long for this implementation|
(the table is from "www.ultimatewindowssecurity.com"
Hey David, First of all thank you for all your help and time. I really appreiciate it, more then you know.
From what I can gather around the internet, the authentication type 2 only means that its the standard password authentication - I can't find any indication that it's only for "local logins" as in someone sitting by their computer and trying to log in.
Actually in this discussion https://community.spiceworks.com/topic/2010920-extremely-high-number-of-event-4771-kerberos-pre-auth... some people say that its possible that he is recieving failures from a service running on his computer - Could you perhaps give me a source that could elaborate a bit more on this subject?
Hi, Thank's on the Feedback...
but it seems your right!
Authentication type - 2 means that the login was done with a Username & Password.
But it dosn't help too much...
here is why, for example when you open your laptop and your Outlook is trying to connect to the server with the Username & password you entered the first time. it seems that the log will be even with a "Authentication type - 2"
if Someone knows the Answer, it will be very Appreciative.
Does Someone know the answer ?
(How to determine a user interactive login, and not a service login.) ?
Please post the answer for the Community. it will be very Appreciative.