cancel
Showing results for 
Search instead for 
Did you mean: 

Successful login 4624 process or actual user login?

I am getting security events of successful Kerberos logins to a domain controller (Event 4624) 
Now my client reports that these events are processes running by the computer and not actual on site or VPN logins.
Is there a way to distinguish between Logins which are created by someone actively trying to connect either locally or through VPN or just trying to access a share on the network between a process doing so automatically?
As far as I recognized the network logon type happens anytime someone enters a share and not just processes. Is there maybe something I am missing which shows the origin of such a login?
I know there is a field considered as PROCESS NAME - but it arrives empty. Is that someting I could talk with my client about that he should configure on his side?

Some Technical Details -
Logon type: 3 - Network
Security ID: S-1-5-21-XXX-XXX-XXX-1575
Process ID: 0x0
Process Name: -


10 Replies
Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 2 of 11

Re: Successful login 4624 process or actual user login?

Hi 

you need to view event id 4768 (432-263047680 in McAfee format..)

"A Kerberos authentication ticket (TGT) was requested"

and in the Pre Authentication Type" field = 2

(for "Smart Card" logins it will be = 15 to 17

 

Best regards

David

Re: Successful login 4624 process or actual user login?

First of all thank you for the quick and good reply,

Could you tell me if what you wrote is a way to find process logins or normal logins?
I understood how to do what was written I just didn't really understand what does it regard towards

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 4 of 11

Re: Successful login 4624 process or actual user login?

Hi 

number 2 is "interactive logins"

not a service or task.

Re: Successful login 4624 process or actual user login?

Well let me test it out.
If this works I will update you on it, and if it does you really saved me Smiley Happy

Thanks alot!

Re: Successful login 4624 process or actual user login?

Would you happen to know in this format, what would be the event for a failed interactive login?

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 7 of 11

Re: Successful login 4624 process or actual user login?

Hi 

for failed logins search for event id - 4771 or in the McAfee Format signater id - 43-263047710

"Kerberos pre-authentication failed"

to be sure it's a interactive login check the Pre-Authentication Type: 2

if you would like to know what the reason of the failer check the "Failer code" in the row packet

below is the entire table of failng reasons with the code:

Result codeKerberos RFC descriptionNotes on common failure codes
0x1Client's entry in database has expired 
0x2Server's entry in database has expired 
0x3Requested protocol version # not supported 
0x4Client's key encrypted in old master key 
0x5Server's key encrypted in old master key 
0x6Client not found in Kerberos databaseBad user name, or new computer/user account has not replicated to DC yet
0x7Server not found in Kerberos database New computer account has not replicated yet or computer is pre-w2k
0x8Multiple principal entries in database 
0x9The client or server has a null key administrator should reset the password on the account
0xATicket not eligible for postdating 
0xBRequested start time is later than end time 
0xCKDC policy rejects requestWorkstation restriction
0xDKDC cannot accommodate requested option 
0xEKDC has no support for encryption type 
0xFKDC has no support for checksum type 
0x10KDC has no support for padata type 
0x11KDC has no support for transited type 
0x12Clients credentials have been revokedAccount disabled, expired, locked out, logon hours.
0x13Credentials for server have been revoked 
0x14TGT has been revoked 
0x15Client not yet valid - try again later 
0x16Server not yet valid - try again later 
0x17Password has expiredThe user’s password has expired.
0x18Pre-authentication information was invalidUsually means bad password
0x19Additional pre-authentication required* 
0x1FIntegrity check on decrypted field failed 
0x20Ticket expiredFrequently logged by computer accounts
0x21Ticket not yet valid 
0x21Ticket not yet valid 
0x22Request is a replay 
0x23The ticket isn't for us 
0x24Ticket and authenticator don't match 
0x25Clock skew too greatWorkstation’s clock too far out of sync with the DC’s
0x26Incorrect net address IP address change?
0x27Protocol version mismatch 
0x28Invalid msg type 
0x29Message stream modified 
0x2AMessage out of order 
0x2CSpecified version of key is not available 
0x2DService key not available 
0x2EMutual authentication failed may be a memory allocation failure
0x2FIncorrect message direction 
0x30Alternative authentication method required* 
0x31Incorrect sequence number in message 
0x32Inappropriate type of checksum in message 
0x3CGeneric error (description in e-text) 
0x3DField is too long for this implementation

 

(the table is from "www.ultimatewindowssecurity.com"

Best regards!

Re: Successful login 4624 process or actual user login?

Hey David, First of all thank you for all your help and time. I really appreiciate it, more then you know.

From what I can gather around the internet, the authentication type 2 only means that its the standard password authentication - I can't find any indication that it's only for "local logins" as in someone sitting by their computer and trying to log in.
Actually in this discussion  https://community.spiceworks.com/topic/2010920-extremely-high-number-of-event-4771-kerberos-pre-auth... some people say that its possible that he is recieving failures from a service running on his computer - Could you perhaps give me a source that could elaborate a bit more on this subject?

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 9 of 11

Re: Successful login 4624 process or actual user login?

Hi, Thank's on the Feedback...

but it seems your right!

Authentication type - 2 means that the login was done with a Username & Password.

But it dosn't help too much...

here is why, for example when you open your laptop and your Outlook is trying to connect to the server with the Username & password you entered the first time. it seems that the log will be even with a "Authentication type - 2"

if Someone knows the Answer, it will be very Appreciative.

Thank's again.

Reliable Contributor David1111
Reliable Contributor
Report Inappropriate Content
Message 10 of 11

Re: Successful login 4624 process or actual user login?

Does Someone know the answer ?

(How to determine a user interactive login, and not a service login.) ?

Please post the answer for the Community. it will be very Appreciative.

Thank's again.

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.