Active Directory: Kerberos Client
2 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 1 | Kerberos Initialize Security Context Handler | ETW Trace | Y |
| 2 | Kerberos Initialize Security Context Handler | ETW Trace | Y |
Event ID 1: Kerberos Initialize Security Context Handler
#Message #
Example Event #
{
"system": {
"provider": "Active Directory: Kerberos Client",
"guid": "{BBA3ADD2-C229-4CDB-AE2B-57EB6966B0C4}",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 0,
"task": 0,
"opcode": 1,
"keywords": "",
"time_created": "2026-06-02T05:04:51.797+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 1132,
"thread_id": 15272
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {},
"message": "KerbInitSecurityContext"
}
Event ID 2: Kerberos Initialize Security Context Handler
#Message #
Fields #
| Name | Description |
|---|---|
Status mof:UInt32 | NTSTATUS reference |
CredSource mof:String | |
DomainName mof:String | |
UserName mof:String | |
Target mof:String | |
ExtError mof:UInt32 | |
klininfo mof:UInt32 |
Example Event #
{
"system": {
"provider": "Active Directory: Kerberos Client",
"guid": "{BBA3ADD2-C229-4CDB-AE2B-57EB6966B0C4}",
"event_source_name": "",
"event_id": 2,
"version": 0,
"level": 0,
"task": 0,
"opcode": 2,
"keywords": "",
"time_created": "2026-06-02T05:04:51.798+00:00",
"event_record_id": 0,
"correlation": {},
"execution": {
"process_id": 1132,
"thread_id": 15272
},
"channel": "ETW Trace",
"computer": "JD-DC01-2022",
"security": {
"user_id": ""
}
},
"event_data": {
"CredSource": "0E0043006F006E007400650078007400",
"DomainName": "18004C0055004400550053002E0044004F004D00410049004E00",
"Status": 590610,
"Target": "70006C006400610070002F004A0044002D0044004300300031002D0032003000320032002E006C0075006400750073002E0064006F006D00610069006E002F006C0075006400750073002E0064006F006D00610069006E0040004C0055004400550053002E0044004F004D00410049004E00",
"UserName": "1A004A0044002D0044004300300031002D0032003000320032002400"
},
"message": "KerbInitSecurityContext"
}
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID {BBA3ADD2-C229-4CDB-AE2B-57EB6966B0C4}
Observed on:
- WS2025-26100.0, schema read from the WMI MOF class, captured 2026-02-26
Taken from Windows installation media (build 26100.1), not a patched system, so the exact update level is unknown.
- WS2022-20348.4893, sample captured from a live trace, captured 2026-06-02
- WS2022-20348.4893, schema read from the WMI MOF class, captured 2026-06-02
MOF class: MSKerbTrace
- Win11-26200.6584, schema read from the WMI MOF class, captured 2026-06-02
MOF class: MSKerbTrace