Steps to enable auditing using Group Policy Management Console (GPMC):

1. Press Start, search for, and open the Group Policy Management Console, or run the command gpmc.msc.

2. Right-click on the domain or organizational unit (OU) that you want to audit, and click on Create a GPO in this domain, and Link it here.

3. Name the Group Policy Object (GPO) as appropriate.
4. Right-click on the newly created or already existing GPO, and choose Edit.

5. In the Group Policy Management Editor, on the left pane, navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Logon.

6. In the right pane, you will see a list of policies that are under Account Logon. Double-click on Audit Kerberos Authentication Service, and check the boxes labeled Configure the following audit events:, Success, and Failure.

7. Perform the same actions for the policy Audit Kerberos Service Ticket Operations.

7. Click on Apply, and then click on OK.
8. Go back to the Group Policy Management Console, and on the left pane, right-click the OU in which the GPO was linked, and click on Group Policy Update. This step ensures that the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.

Steps to view Kerberos authentication events using Event Viewer

Once the above steps are complete, Kerberos authentication events will be stored in the event log. These events can be viewed in the Event Viewer by performing the following actions on the domain controller (DC):

1. Press Start, search for Event Viewer, and click to open it.
2. In the Event Viewer window, on the left pane, navigate to Windows log ⟶ Security.
3. Here, you will find a list of all the Security Events that are logged in the system.

4. On the right pane, under Security, click on Filter Current Log.

5. In the pop-up window, enter the desired Event ID*, as referenced in the table below, in the field labeled <All Event IDs>.

* The following Event IDs are generated for the given events:

6. Click on OK. This will provide you with a list of occurrences of that Event ID.
7. Double-click on the Event ID to view its Properties.

Limitations of Active Directory (AD) native auditing:

• An administrator would have to search for each Event ID to view its properties. This is highly impractical and time-consuming, even for small organizations.
• No useful insights are provided using native auditing. If the admin wants to monitor, or be notified in case of sudden spike in login activities or anomalous user behavior, it's not possible with native auditing.
• Kerberos authentication events could be logged on any DC in the domain. An administrator would have to monitor events on each DC, which is an excessive amount of work. A centralized tool to monitor all the events will reduce the load immensely.

ManageEngine ADAudit Plus is an Active Directory auditing tool that can help monitor user logon activity using Kerberos authentication events. You can also detect possible security threats with reports on anomalous logon activity and automate responses to such threats.