In This Article

Event ID 4773 – A Kerberos Service Ticket Request Failed

Terry Mann | 3 min read| Published On - April 8, 2024

Windows Event ID 4773

Kerberos is an authentication protocol which is used to verify the identity of a host across an untrusted network, such as the internet. Kerberos support is built into all major computer operating systems, including Microsoft Windows.

Since Windows 2000, the Kerberos protocol has been used by Microsoft as the default authentication method, and it is a fundamental part of the Windows Active Directory (AD) service.

What is Kerberos Event ID 4773?

Event ID 4773
Category Account Logon
Sub Category Kerberos Service Ticket Operations
Description A Kerberos service ticket request failed

When a Kerberos service request fails, Event ID 4773 is logged and the log data provides the following information:

Account Information
  • Account Name
  • Account Domain
Service Information
  • Service Name
Network Information
  • Client Address
  • Client Port
Additional Information
  • Ticket Options
  • Failure Code

Why Event ID 4773 needs to be Monitored?

Event ID 4773, though it might appear in some documentation, is actually not a currently used event in Windows systems. Microsoft doesn’t log this specific event.

There are a couple of reasons why you might see references to it:

  • Outdated Information: Some resources may be referencing older versions of Windows where Event ID 4773 was used. Microsoft replaced it with Event ID 4769 (Failure Audit) for Kerberos service ticket request failures.
  • Misinterpretation: The functionality might be misinterpreted. While Event ID 4773 isn’t used, monitoring Kerberos authentication failures (like Event ID 4769) is still important for security purposes.

Here’s why monitoring Kerberos authentication failures (like Event ID 4769) is important:

  • Security: It can help detect suspicious login attempts. Failed Kerberos requests can indicate issues like invalid credentials, expired passwords, or attempts to access unauthorized resources. This can be a sign of brute-force attacks or attempts to exploit vulnerabilities in Kerberos authentication.
  • Troubleshooting: It can help identify configuration problems. Failed requests might be due to misconfigured services, network connectivity issues, or problems with the Kerberos infrastructure. Monitoring these events can help pinpoint the root cause of login failures.
  • Operational Efficiency: It can help ensure smooth user access. By monitoring these events, you can identify any recurring issues that might be causing disruptions to user logins. This helps maintain system uptime and user productivity.

In summary, focus on monitoring Event ID 4769 (Failure Audit) for Kerberos service ticket failures instead of Event ID 4773. This will provide valuable information for maintaining a secure and healthy Active Directory environment.


It is essential for an administrator to have complete visibility over what is happening on their Active Directory to ensure that any suspicious activity relating to potential security threats is identified and responded to immediately.

The Lepide Active Directory auditing tool enables effective monitoring, auditing, and reporting on all Active Directory states and changes including account logon events. Account logon pre-configured reports help identify malicious users attempting to logon to machines that require elevated privileges.

Terry Mann
Terry Mann

Terry is an energetic and versatile Sales Person within the Internet Security sector, developing growth opportunities as well as bringing on net new opportunities.

See How Lepide's Auditing Solution Works
Or Deploy With Our Virtual Appliance

By submitting the form you agree to the terms in our privacy policy.

Popular Blog Posts