事件 ID 4771 - Kerberos 预身份验证失败

---

当票证授予票证 (TGT) 失败时，它将记录事件 ID 4771 日志 Kerberos 预身份验证失败。

当用户在其工作站中输入其域用户名和密码时，工作站会联系本地域控制器 (DC) 并请求 Kerberos TGT（票证授予票证）。

如果域用户名和密码经过验证并通过安全限制检查，域控制器 (DC) 会授予 TGT 并记录事件 ID 4768。

如果票证请求在 Kerberos 预身份验证步骤期间失败，则会引发事件 ID 4768。

如果请求 TGT 失败，该事件将被记录到事件 ID 4771 并记录在 DC 上。

如果为帐户设置了“不需要 Kerberos 预身份验证”选项，则不会生成事件。

在本文中，我们将讨论事件 ID 4771、有关事件 ID 4771 的信息以及结果代码。

事件 ID 4771 信息

让我们详细了解事件 ID 4771 及其字段。

事件 ID 4771 XML 格式

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{62736363-7623-8273-B5CA-2E3C0352D30E}" /> 
 <EventID>4771</EventID> 
 <Version>0</Version> 
 <Level>0</Level> 
 <Task>14339</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8010000000000000</Keywords> 
 <TimeCreated SystemTime="2022-01-22T18:10:21.495462300Z" /> 
 <EventRecordID>16708</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="520" ThreadID="1084" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.ShellGeek.local</Computer> 
 <Security /> 
 </System>
- <EventData>
 <Data Name="TargetUserName">admin</Data> 
 <Data Name="TargetSid">S-1-4-21-2637363212-72736362722-73374747474-1288</Data> 
 <Data Name="ServiceName">krbtgt/SHELLGEEK.LOCAL</Data> 
 <Data Name="TicketOptions">0x40810010</Data> 
 <Data Name="Status">0x10</Data> 
 <Data Name="PreAuthType">15</Data> 
 <Data Name="IpAddress">::ffff:10.101.22.112</Data> 
 <Data Name="IpPort">46272</Data> 
 <Data Name="CertIssuerName" /> 
 <Data Name="CertSerialNumber" /> 
 <Data Name="CertThumbprint" /> 
 </EventData>
 </Event>

酷提示：如何在 PowerShell 中将 XML 转换为 CSV 文件！

字段说明：

账户信息

• 安全 ID： 请求 TGT 票证的帐户的安全 ID。

• 帐户名称：请求 TGT 票据的帐户名称。例如，管理员

服务信息

• 服务名称：TGT 请求发送到的 Kerberos 领域中的服务名称。例如 krbtgt/SHELLGEEK.LOCAL

网络信息

• 客户端地址：接收 TGT 请求的计算机的 IP 地址。例如：::ffff:10.101.22.112

• 客户端端口：客户端网络连接（TGT请求连接）的源端口号。例如：46272

其他信息

• 票证选项：这组不同的票证标志采用十六进制格式。例如：0x40810010

最常见的值：

• 0x40810010 - 可转发、可更新、规范化、可更新-ok
• 0x40810000 - 可转发、可更新、规范化
• 0x60810010 - 可转发、转发、可更新、规范化、可更新-ok

酷提示：事件 ID 4634 - 帐户已注销！

票证标志如下表所示

BitFlag NameDescription0Reserved-1Forwardable(TGT only). Tells the ticket-granting service that it can issue a new TGT—based on the presented TGT—with a different network address based on the presented TGT.2ForwardedIndicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT.3Proxiable(TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT.4ProxyIndicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket.5Allow-postdatePostdated tickets SHOULD NOT be supported inKILE(Microsoft Kerberos Protocol Extension).6PostdatedPostdated tickets SHOULD NOT be supported inKILE(Microsoft Kerberos Protocol Extension).7InvalidThis flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets that have this flag set.8RenewableUsed in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically.9InitialIndicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT.10Pre-authentIndicates that the client was authenticated by the KDC before a ticket was issued. This flag usually indicates the presence of an authenticator in the ticket. It can also flag the presence of credentials taken from a smart card logon.11Opt-hardware-authThis flag was originally intended to indicate that hardware-supported authentication was used during pre-authentication. This flag is no longer recommended in the Kerberos V5 protocol. KDCs MUST NOT issue a ticket with this flag set. KDCs SHOULD NOT preserve this flag if it is set by another KDC.12Transited-policy-checkedKILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag.13Ok-as-delegateThe KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation.14Request-anonymousKILE does not use this flag.15Name-canonicalizeTo request referrals, the Kerberos client MUST explicitly request the “canonicalize” KDC option for the AS-REQ or TGS-REQ.16-25Unused-26Disable-transited-checkBy default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor
the DISABLE-TRANSITED-CHECK option.
Should not be in use, because Transited-policy-checked flag is not supported by KILE.27Renewable-okThe RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server.28Enc-tkt-in-skeyNo information.29Unused-30RenewThe RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header.31ValidateThis option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE.

酷提示：事件 ID 4776 代码 0xc0000234 - 修复以查找尝试来源！

• 失败代码： TGT 发行操作失败的十六进制失败代码。下表列出了故障错误代码。

CodeCode NameDescriptionPossible causes0x0KDC_ERR_NONENo error0x1KDC_ERR_NAME_EXPClient’s entry in database has expired0x2KDC_ERR_SERVICE_EXPServer’s entry in database has expired0x3KDC_ERR_BAD_PVNORequested protocol version number not supported0x4KDC_ERR_C_OLD_MAST_KVNOClient’s key encrypted in old master key0x5KDC_ERR_S_OLD_MAST_KVNOServer’s key encrypted in old master key0x6KDC_ERR_C_PRINCIPAL_UNKNOWNClient not found in Kerberos database0x7KDC_ERR_S_PRINCIPAL_UNKNOWNServer not found in Kerberos database0x8KDC_ERR_PRINCIPAL_NOT_UNIQUEMultiple principal entries in database0x9KDC_ERR_NULL_KEYThe client or server has a null key0xaKDC_ERR_CANNOT_POSTDATETicket not eligible for postdating0xbKDC_ERR_NEVER_VALIDRequested starttime is later than end time0xcKDC_ERR_POLICYKDC policy rejects request0xdKDC_ERR_BADOPTIONKDC cannot accommodate requested option0xeKDC_ERR_ETYPE_NOSUPPKDC has no support for encryption type0xfKDC_ERR_SUMTYPE_NOSUPPKDC has no support for checksum type0x10KDC_ERR_PADATA_TYPE_NOSUPPKDC has no support for PADATA type (pre-authentication data)Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller.
It can also happen when a domain controller doesn’t have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).0x11KDC_ERR_TRTYPE_NOSUPPKDC has no support for transited type0x12KDC_ERR_CLIENT_REVOKEDClients credentials have been revoked0x13KDC_ERR_SERVICE_REVOKEDCredentials for server have been revoked0x14KDC_ERR_TGT_REVOKEDTGT has been revoked0x15KDC_ERR_CLIENT_NOTYETClient not yet valid; try again later0x16KDC_ERR_SERVICE_NOTYETServer not yet valid; try again later0x17KDC_ERR_KEY_EXPIREDPassword has expired—change password to resetThe user’s password has expired.0x18KDC_ERR_PREAUTH_FAILEDPre-authentication information was invalidThe wrong password was provided.0x19KDC_ERR_PREAUTH_REQUIREDAdditional pre-authentication required0x1aKDC_ERR_SERVER_NOMATCHRequested server and ticket don’t match0x1bKDC_ERR_MUST_USE_USER2USERServer principal valid for user2user only0x1cKDC_ERR_PATH_NOT_ACCEPTEDKDC Policy rejects transited path0x1dKDC_ERR_SVC_UNAVAILABLEA service is not available0x1fKRB_AP_ERR_BAD_INTEGRITYIntegrity check on decrypted field failed0x20KRB_AP_ERR_TKT_EXPIREDTicket expired0x21KRB_AP_ERR_TKT_NYVTicket not yet valid0x22KRB_AP_ERR_REPEATRequest is a replay0x23KRB_AP_ERR_NOT_USThe ticket isn’t for us0x24KRB_AP_ERR_BADMATCHTicket and authenticator don’t match0x25KRB_AP_ERR_SKEWClock skew too great0x26KRB_AP_ERR_BADADDRIncorrect net address0x27KRB_AP_ERR_BADVERSIONProtocol version mismatch0x28KRB_AP_ERR_MSG_TYPEInvalid msg type0x29KRB_AP_ERR_MODIFIEDMessage stream modified0x2aKRB_AP_ERR_BADORDERMessage out of order0x2cKRB_AP_ERR_BADKEYVERSpecified version of key is not available0x2dKRB_AP_ERR_NOKEYService key not available0x2eKRB_AP_ERR_MUT_FAILMutual authentication failed0x2fKRB_AP_ERR_BADDIRECTIONIncorrect message direction0x30KRB_AP_ERR_METHODAlternative authentication method required0x31KRB_AP_ERR_BADSEQIncorrect sequence number in message0x32KRB_AP_ERR_INAPP_CKSUMInappropriate type of checksum in message0x33KRB_AP_PATH_NOT_ACCEPTEDPolicy rejects transited path0x34KRB_ERR_RESPONSE_TOO_BIGResponse too big for UDP; retry with TCP0x3cKRB_ERR_GENERICGeneric error (description in e-text)0x3dKRB_ERR_FIELD_TOOLONGField is too long for this implementation0x3eKDC_ERROR_CLIENT_NOT_TRUSTEDReserved for PKINIT0x3fKDC_ERROR_KDC_NOT_TRUSTEDReserved for PKINIT0x40KDC_ERROR_INVALID_SIGReserved for PKINIT0x41KDC_ERR_KEY_TOO_WEAKReserved for PKINIT0x42KDC_ERR_CERTIFICATE_MISMATCHReserved for PKINIT0x43KRB_AP_ERR_NO_TGTNo TGT available to validate USER-TO-USER0x44KDC_ERR_WRONG_REALMReserved for future use0x45KRB_AP_ERR_USER_TO_USER_REQUIREDTicket must be for USER-TO-USER0x46KDC_ERR_CANT_VERIFY_CERTIFICATEReserved for PKINIT0x47KDC_ERR_INVALID_CERTIFICATEReserved for PKINIT0x48KDC_ERR_REVOKED_CERTIFICATEReserved for PKINIT0x49KDC_ERR_REVOCATION_STATUS_UNKNOWNReserved for PKINIT0x4aKDC_ERR_REVOCATION_STATUS_UNAVAILABLEReserved for PKINIT0x4bKDC_ERR_CLIENT_NAME_MISMATCHReserved for PKINIT0x4cKDC_ERR_KDC_NAME_MISMATCHReserved for PKINIT

酷提示：如何在 PowerShell 中操作 Active Directory UserAccountControl 标志！

• 预认证类型：TGT请求中使用的预认证类型代码。

预认证类型如下表所示

TypeType NameDescription0-Logon without Pre-Authentication.2PA-ENC-TIMESTAMPThis type is normal for standard password authentication.11PA-ETYPE-INFOThe ETYPE-INFO pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in Microsoft Active Directory environment.15PA-PK-AS-REP_OLDUsed for Smart Card logon authentication.16PA-PK-AS-REQRequest sent to KDC in Smart Card authentication scenarios.17PA-PK-AS-REPThis type should also be used for Smart Card authentication, but in certain Active Directory environments, it is never seen.19PA-ETYPE-INFO2The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Never saw this Pre-Authentication Type in the Microsoft Active Directory environment.20PA-SVR-REFERRAL-INFOUsed in KDC Referrals tickets.138PA-ENCRYPTED-CHALLENGELogon using Kerberos Armoring (FAST). Supported starting from Windows Server 2012 domain controllers and Windows 8 clients.

认证信息

• 证书颁发者名称：颁发智能卡证书的证书颁发机构的名称。对于 4771 事件，它始终保持为空。
• 证书序列号：智能卡证书的序列号。
• 证书指纹：智能卡证书的指纹。

酷提示：事件 ID 4625 状态代码 0xc000006a - 修复以查找尝试来源！

结论

在上面有关事件 ID 4771 的文章中，我们讨论了事件 ID 4771 信息、其字段及其在事件中使用的代码。

最佳实践是，监控客户端 IP 地址是否来自您的内部 IP 范围内或外部。

如果客户端 IP 或帐户名不是来自您的组织，您可以设置警报或触发器。它将帮助您保护域中的计算机。

酷提示：事件 ID 4670 - 对象的权限已更改！

本文参考 Microsoft 官方知识库文章获取错误代码。您可以在官方 Microsoft 知识库文章中找到更多 Kerberos 票证错误代码和失败错误代码。

您可以在 ShellGeek 主页上找到有关 PowerShell Active Directory 命令和 PowerShell 基础知识的更多主题。

您可以阅读有关其他 Windows 安全和系统事件日志的更多信息，如下所示：

• 事件 ID 4670 - 系统重新启动或关闭
• 事件 ID 4624 - 帐户已成功登录。