Kerberos authentication ticket - Event ID 4768 - Audit failure
I am using kerberos to authenticate a user and its failing. Audit failure details in event viewer are following
A Kerberos authentication ticket (TGT) was requested.
Account Information:
Account Name: ax
Supplied Realm Name: TEST.COM
User ID: NULL SID
Service Information:
Service Name: krbtgt/TEST.COM
Service ID: NULL SID
Network Information:
Client Address: ::ffff:2.2.2.60
Client Port: 38532
Additional Information:
Ticket Options: 0x40800000
Result Code: 0x6
Ticket Encryption Type: 0xffffffff
Pre-Authentication Type: -
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
The result code 0x6 means that user doesn't exist in Kerberos database but i have a user already configured in AD. This is windows server 2008 (non-R2) and user account name is "axtest" and User logon name is "ax/mytest". The domain name is test.com. From wireshark, i can see that my client is sending AS-REQ which has correct 2 name string items ax & mytest. I am not sure why is it failing.
Solution
I found the problem. Since i was running old Microsoft 2008 version, it was missing the hotfix (KB951191). Installing that resolved the issue.
- How to securely manage JWT, user role, and login status in localStorage?
- Securing CSP report-uri payloads
- clerk Authentication afterSignOutUrl property not known typescript error in React
- I want to create a login with a cookie and check the database if I am logged in, but the cookie is not created, I don't know where I went wrong
- Android - Session Cookies
- Enable both Windows authentication and Anonymous authentication in an ASP.NET Core app
- What is the Purpose of "postmessage" in a Redirect URI?
- Can I use MSI Token for Azure DevOps REST APIs?
- What's the simplest way to authenticate an AWS IAM role in a custom service?
- who creates the passkey (and how many will be created?)
- .NET Core : Calling DownstreamApi.CallApiForUserAsync with non-default authentication scheme
- Onesignal login() function creates a seperate user record
- What's the purpose of the client secret in OAuth2?
- How does one acquire Basic Auth credentials from JavaScript/HTML?
- Connect to PostgreSQL database in Docker container using 3rd party application
- LinkedIn API - ACCESS_DENIED - Not enough permissions to access
- Enable autologin into flask app using active directory
- 'git push heroku master' is still asking for authentication
- Should I use PKCE for OpenID Connect with Native Desktop Application?
- Keycloak authentication with `react-oidc-context`: "No matching state found in storage" after page refresh
- Apply method in my AuthenticationFilter not getting called
- Bearer Authentication in Python
- how to completely destroy client side session with NextAuth.js & AWS Cognito
- Is there a way to move the anonymous user back to internal in Artifactory?
- Is it possible to create a JWT authentication or something similar in Node.js without using frameworks?
- What's the point of refresh token?
- What is the purpose of a "Refresh Token"?
- Flask HTTP Basicauth - How does it work?
- BlazorNotifyAuthenticationStateChanged doesn't update authorized-based elements
- httpOnly cookie with React NodeJS not sending cookie to server by applying the network IP address