Computer generated kerberos events are always identifiable by the $ after the computer account's name. In these instances, you'll find a computer name in the User Name and fields. Windows logs other instances of event ID 4768 when a computer in the domain needs to authenticate to the DC typically when a workstation boots up or a server restarts.
The User ID field provides the SID of the account. Rather look at the Account Information: fields, which identify the user who logged on and the user account's DNS suffix. The User field for this event (and all other events in the Audit account logon event category) doesn't help you determine who the user was the field always reads N/A. In Windows Kerberos, password verification takes place during pre-authentication. If the ticket request fails Windows will either log this event, failure 4771, or 4768 if the problem arose during 'pre-authentication'. If the username and password are correct and the user account passes status and restriction checks, the DC grants the TGT and logs event ID 4768 (authentication ticket granted). This event is logged on domain controllers only and only failure instances of this event are logged.Īt the beginning of the day when a user sits down at his or her workstation and enters his domain username and password, the workstation contacts a local DC and requests a TGT.
