Audit Kerberos Authentication Service
- Windows 10
- Windows Server 2016
Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful attempts and Failure audits record unsuccessful attempts.
Event volume: High on Kerberos Key Distribution Center servers.
This subcategory contains events about issued TGTs and failed TGT requests. It also contains events about failed Pre-Authentications, due to wrong user password or when the user’s password has expired.
|Computer Type||General Success||General Failure||Stronger Success||Stronger Failure||Comments|
|Domain Controller||Yes||Yes||Yes||Yes||We recommend Success auditing, because you will see all Kerberos Authentication requests (TGT requests), which are a part of domain account logons. Also, you can see the IP address from which this account requested a TGT, when TGT was requested, which encryption type was used and so on.
We recommend Failure auditing, because you will see all failed requests with wrong password, username, revoked certificate, and so on. You will also be able to detect Kerberos issues or possible attack attempts.
Expected volume is high on domain controllers.
|Member Server||No||No||No||No||This subcategory makes sense only on domain controllers.|
|Workstation||No||No||No||No||This subcategory makes sense only on domain controllers.|