Summary:
- Event ID 4768 Source
- Enable Event 4768 through Group Policy
- Enable Event 4768 via Auditpol
- Stop Event 4768 via GPO and Auditpol
Event ID 4768 Source
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 5/5/2014 3:43:20 PM Event ID: 4768 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Success User: N/A Computer: Work2008R2.TestDomain.local Description: A Kerberos authentication ticket (TGT) was requested. Account Information: Account Name: LTest Supplied Realm Name: TESTDOMAIN User ID: TESTDOMAINLTest Service Information: Service Name: krbtgt Service ID: TESTDOMAINkrbtgt Network Information: Client Address: 192.78.2.145 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Result Code: 0x0 Ticket Encryption Type: 0x12 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
Enable AD Logon Audit Event 4768 via Group Policy
To enable event id 4768 in every Domain Controller, We need to configure audit settings in Default Domain Controllers Policy, or you can create new GPO and links it to the Domain Controllers OU via GPMC console, or else you can configure the corresponding policies on Local Security Policy of each and every Domain Controller..
Follow the below steps to enable Active Directory Kerberos Logon Audit event 4768 via Default Domain Controllers Policy.
1. Press the key ‘Window’ + ‘R’
2. Type the command gpmc.msc, and click OK.
Note: Skip the above steps by clicking Start –>Administrative Tools –>Group Policy Management.
3. Expand the domain node and Domain Controllers OU, right–click on the Default Domain Controllers Policy, then click Edit. – refer the below image.
4. Expand Computer Configuration node and Security Settings and navigate to the node Audit Policy (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon).
5. In right-side pane, double-click on Audit account logon events and set Success and Failure setting to enable kerberos logon event 4768.
Note: In Windows 2008 R2 and later versions, you can also control this event by subcategory-level setting via Advanced Audit Policy Configuration.
Expand Computer Configuration and Security Settings and navigate to the node Account Logon (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon) and set the setting Audit Kerberos Authentication Service as Success and Failure
6. Run the command gpupdate /force from command prompt to update Group Policy settings.
Enable/Configure Event ID 4768 via Auditpol
Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security settings per user level and computer level.
Note: You should run Auditpol command with elevated privilege (Run As Administrator);
You can enable Event 4768 through Kerberos Authentication Service subcategory by using the following command
Success Audit:
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable
Failure Audit:
auditpol /set /subcategory:"Kerberos Authentication Service" /Failure:enable
To update or refresh GPO settings, run the command gpupdate/force
Disable/Stop Event ID 4768
You can disable or stop the audit Event 4768 by removing success and failure audit of Kerberos Authentication Service subcategory by using the following command.
auditpol /set /subcategory:"Kerberos Authentication Service" /success:disable
You can also stop this event by removing the success and failure setting from the Default Domain Controller Policy’s category level setting path (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon->Audit account logon events)
or by subcategory level setting (Computer Configuration->Policies->Windows Settings->Security Settings-> Advanced Audit Policy Configuration -> Audit Policies->Account Logon->Audit Kerberos Authentication Service)
Note: This article is applies to only Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8
Thanks,
Morgan
Software Developer