Lepide Blog: A Guide to IT Security, Compliance and IT Operations

Event ID 4770 – A Kerberos Service Ticket was Renewed

Event ID 4770

What is Kerberos?

Kerberos is an authentication protocol which is used to verify the identity of a host across an untrusted network, such as the internet. Kerberos support is built into all major computer operating systems, including Microsoft Windows.

Since Windows 2000, the Kerberos protocol has been used by Microsoft as the default authentication method, and it is a fundamental part of the Windows Active Directory (AD) service.

Event ID 4770
Category Account Logon
Sub category Kerberos Service Ticket Operations
Description A Kerberos service ticket was renewed
10 Best Practices for Keeping Active Directory SecureFollow the best practices suggested in this whitepaper, and you will be in a much better position to keep your AD secure.
Download Whitepaper

This event is logged when a Kerberos service ticket was renewed. Kerberos limits how long a ticket is valid. If a ticket expires when the user is still logged on, Windows automatically contacts the domain controller to renew the ticket which triggers this event.

Why Does Event ID 4770 Need to be Monitored?

Below are the reasons why you might see references to it:

  • Detection of privilege abuse
  • Discovering potential malicious activity
  • Additional purposes for example getting information on user activity such as user attendance, peak logon times and so on
  • Compliance regulations

How Lepide Account Lockout Examiner (Free Tool) Helps

Lepide Account Lockout Examiner helps you instantly detect, investigate, and resolve AD account lockouts-making it easy to unlock accounts or reset passwords right from the tool. It’s a must-have for simplifying account lockout management and keeping your AD environment running smoothly.