N
Nikos2019
Hello Everyone
I recently made a post about Kerberos TGT requests in my Server 2012 R2 the Event id: 4768 is this one:
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: S-1-5-21-262885580-2243684832-3334250267-1001
Supplied Realm Name: DomainName.LOCAL
User ID: NULL SID
Service Information:
Service Name: krbtgt/DomainName.LOCAL
Service ID: NULL SID
Network Information:
Client Address: ::1
Client Port: 0
Additional Information:
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: 0xFFFFFFFF
Pre-Authentication Type: -
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC
After a research that I did at my server looking at the domain controller I found out that the unknown Sids that trigger Kerberos TGT are:
S-1-5-21-262885580-2243684832-3334250267-1153 is the object id of an old domain computer that I have it in the Active directory Users and Computers / Computers.
And also the Unknown SID S-1-5-21-262885580-2243684832-3334250267-1001 is the object id of my domain Controller inside the Active directory users and computers / Domain Controllers
Anyone knows what could possible trigger Kerberos TGT, I also have the Eset Admin Console on the server.
Continue reading...
I recently made a post about Kerberos TGT requests in my Server 2012 R2 the Event id: 4768 is this one:
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: S-1-5-21-262885580-2243684832-3334250267-1001
Supplied Realm Name: DomainName.LOCAL
User ID: NULL SID
Service Information:
Service Name: krbtgt/DomainName.LOCAL
Service ID: NULL SID
Network Information:
Client Address: ::1
Client Port: 0
Additional Information:
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: 0xFFFFFFFF
Pre-Authentication Type: -
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC
After a research that I did at my server looking at the domain controller I found out that the unknown Sids that trigger Kerberos TGT are:
S-1-5-21-262885580-2243684832-3334250267-1153 is the object id of an old domain computer that I have it in the Active directory Users and Computers / Computers.
And also the Unknown SID S-1-5-21-262885580-2243684832-3334250267-1001 is the object id of my domain Controller inside the Active directory users and computers / Domain Controllers
Anyone knows what could possible trigger Kerberos TGT, I also have the Eset Admin Console on the server.
Continue reading...