Event ID 4772 – A Kerberos Authentication Ticket Request Failed

Event ID 4772

Event ID 4772 is logged in the Windows Security Log and indicates that a Kerberos authentication ticket request failed.

Note: While Event ID 4772 is a defined event, it’s stated that it doesn’t generate in modern Windows operating systems, and that Event ID 4768 (failure) is logged instead for Kerberos authentication ticket request failures. However, it’s still important to be aware of 4772 as it is part of the Kerberos auditing framework.

Key Information about Event ID 4772

When a user or service attempts to authenticate using Kerberos in a Windows domain environment, they first request a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC), which is typically a Domain Controller. Event ID 4772 signifies that this initial TGT request was unsuccessful.

Why Event ID 4772 Needs to be Monitored?

• Prevents privilege abuse
• Identifies potential malicious activity
• Used for operational purposes for example, getting information on user activity
• Compliance mandates

How Lepide Helps

Visibility over what is happening in Active Directory is an essential requirement for administrators. This ensures that any suspicious activity relating to potential security threats is identified and can be responded to immediately.

The Lepide Active Directory Auditing Tool enables effective monitoring, auditing, and reporting on all Active Directory states and changes including account logon events. The Lepide Solution includes pre-configured account logon reports to help identify malicious users attempting to logon to machines that require elevated privileges. If you want to see how Lepide’s solution works, schedule a demo with one of our engineers today or download the free trial.