Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to audit Kerberos authentication events in Active Directory

Start your free trial

Kerberos replaced NT LAN Manager (NTLM) as the default authentication for Windows OS, as a much faster and safer alternative. IT administrators can enable auditing of Kerberos authentication, which allows recording of events created during this process. Admins can monitor these events to keep an eye on both failed and successful logon activities of users logging into the domain. Any sudden anomalous changes, such as an unusually high number of failed logon attempts, could indicate the possibility of a brute force attack, and more. Read on to find out how to audit Kerberos authentication events:

Steps to enable auditing using Group Policy Management Console (GPMC):

  1. Press Start, search for, and open the Group Policy Management Console, or run the command gpmc.msc.
How to audit process tracking
  1. Right-click on the domain or organizational unit (OU) that you want to audit, and click on Create a GPO in this domain, and Link it here.
How to detect who unlocked a user account
  1. Name the Group Policy Object (GPO) as appropriate.
  2. Right-click on the newly created or already existing GPO, and choose Edit.
How to detect who unlocked a user account
  1. In the Group Policy Management Editor, on the left pane, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Logon.
How to detect who unlocked a user account
  1. In the right pane, you will see a list of policies that are under Account Logon. Double-click on Audit Kerberos Authentication Service, and check the boxes labeled Configure the following audit events:, Success, and Failure.
How to detect who unlocked a user account
  1. Perform the same actions for the policy Audit Kerberos Service Ticket Operations.
How to detect who unlocked a user account
  1. Click on Apply, and then click on OK.
  2. Go back to the Group Policy Management Console, and on the left pane, right-click the OU in which the GPO was linked, and click on Group Policy Update. This step ensures that the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.
How to detect who unlocked a user account

Steps to view Kerberos authentication events using Event Viewer

Once the above steps are complete, Kerberos authentication events will be stored in the event log. These events can be viewed in the Event Viewer by performing the following actions on the domain controller (DC):

  1. Press Start, search for Event Viewer, and click to open it.
  2. In the Event Viewer window, on the left pane, navigate to Windows log ⟶ Security.
  3. Here, you will find a list of all the Security Events that are logged in the system.
How to detect who unlocked a user account
  1. On the right pane, under Security, click on Filter Current Log.
How to detect who unlocked a user account
  1. In the pop-up window, enter the desired Event ID*, as referenced in the table below, in the field labeled <All Event IDs>.

* The following Event IDs are generated for the given events:

Event ID Subcategory Event Type Description
4768 Kerberos Authentication Service Success and Failure A Kerberos authentication ticket (TGT) was requested
4769 Kerberos Service Ticket Operations Success and Failure A Kerberos service ticket was requested
4770 Kerberos Service Ticket Operations Success A Kerberos service ticket was renewed
4771 Kerberos Authentication Service Failure Kerberos pre-authentication failed
4772 Kerberos Authentication Service Failure A Kerberos authentication ticket request failed
4773 Kerberos Service Ticket Operations Failure A Kerberos service ticket request failed
  1. Click on OK. This will provide you with a list of occurrences of that Event ID.
  2. Double-click on the Event ID to view its Properties.
How to detect who unlocked a user account

Limitations of Active Directory (AD) native auditing:

  • An administrator would have to search for each Event ID to view its properties. This is highly impractical and time-consuming, even for small organizations.
  • No useful insights are provided using native auditing. If the admin wants to monitor, or be notified in case of sudden spike in login activities or anomalous user behavior, it's not possible with native auditing.
  • Kerberos authentication events could be logged on any DC in the domain. An administrator would have to monitor events on each DC, which is an excessive amount of work. A centralized tool to monitor all the events will reduce the load immensely.

ManageEngine ADAudit Plus is an Active Directory auditing tool that can help monitor user logon activity using Kerberos authentication events. You can also detect possible security threats with reports on anomalous logon activity and automate responses to such threats.

Steps to audit Kerberos authentication using ManageEngine ADAudit Plus

  1. Download and install ADAudit Plus.
  2. Find the steps to configure auditing on your domain controller here.
  3. Open the ADAudit Plus console and login as administrator and navigate to Reports → Active Directory → User Management → User Logon Activity.
1
 

Gain deeper insight into logons taking place in your organization, and understand when and where each logon took place.

2
 

Monitor users logged into multiple computers to detect security risks in your organization since a third party might be accessing the user account to gain control.

3
 

Monitor and obtain reports for all logon activity on DCs, member servers, and workstations.

How to detect who unlocked a user account

Gain deeper insight into logons taking place in your organization, and understand when and where each logon took place.
Monitor users logged into multiple computers to detect security risks in your organization since a third party might be accessing the user account to gain control.
Monitor and obtain reports for all logon activity on DCs, member servers, and workstations.

Advantages of using ADAudit Plus:

  • ADAudit Plus enables you to audit and track user logon activity in your network in real-time, and helps detect potentially malicious activities.
  • Protect your AD from security threats by receiving alerts on anomalous activity. Incidents such as an unusually high volume of logon attempts, logons taking place at unusual times, or the first time a user accesses a host remotely, are signs of compromise in the network.
  • Uncover the reason for repeated account lockouts using account lockout analyzer, which helps you spot and resolve account lockouts faster.
 

ADAudit Plus Trusted By