Kerberos Unknown SIDs do exist in Server 2012 R2

N

Nikos2019

Hello Everyone

I recently made a post about Kerberos TGT requests in my Server 2012 R2 the Event id: 4768 is this one:

A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: S-1-5-21-262885580-2243684832-3334250267-1001
Supplied Realm Name: DomainName.LOCAL
User ID: NULL SID

Service Information:
Service Name: krbtgt/DomainName.LOCAL
Service ID: NULL SID

Network Information:
Client Address: ::1
Client Port: 0

Additional Information:
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: 0xFFFFFFFF
Pre-Authentication Type: -

Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

Certificate information is only provided if a certificate was used for pre-authentication.


Pre-authentication types, ticket options, encryption types and result codes are defined in RFC


After a research that I did at my server looking at the domain controller I found out that the unknown Sids that trigger Kerberos TGT are:

S-1-5-21-262885580-2243684832-3334250267-1153 is the object id of an old domain computer that I have it in the Active directory Users and Computers / Computers.

And also the Unknown SID S-1-5-21-262885580-2243684832-3334250267-1001 is the object id of my domain Controller inside the Active directory users and computers / Domain Controllers

Anyone knows what could possible trigger Kerberos TGT, I also have the Eset Admin Console on the server.


Continue reading...
 
Back
Top Bottom