detection.wiki

Microsoft-Windows-Kerberos-Key-Distribution-Center

138 events across 6 channels

EventTitleChannelSample
3Could not find principalOperationalN
4Domain Domain propagated to us but did not authenticateOperationalN
5The KDC failed to update policy classOperationalN
6The KDC failed to update the trusted domain listOperationalN
7The Security Account Manager failed a KDC request in an unexpected wayOperationalN
8The account AccountName did not have a suitable key for generating a Kerberos …OperationalN
9The password on the KRBTGT account was changed.OperationalN
10The attempt to change the password on the KRBTGT account failedOperationalN
11The KDC encountered duplicate names while processing a Kerberos authentication …OperationalN
12A request failed from client realm ClientRealm for a ticket in realmOperationalN
13The account for Name has corrupt keys stored in the DSOperationalN
14While processing an AS request for target service Target, the account Account …OperationalN
15The request for an AS ticket for client Client was forwarded to the PDCOperationalN
16While processing a TGS request for the target server Target, the account Account …OperationalN
17When updating policy class Class, the KDC encountered invalid policy data and …OperationalN
18During TGS processing, the KDC was unable to verify the signature on the PAC …OperationalN
19This event indicates an attempt was made to use smartcard logon, but the KDC is …OperationalN
20The currently selected KDC certificate was once valid, but now is invalid and no …OperationalN
21The client certificate for the user Domain\Username is not valid, and resulted …OperationalN
22The KDC encountered a trust loop when building a list of trusted domainsOperationalN
23The KDC received invalid messages of typeOperationalN
24A service ticket request by client Client for Server was rejected because …OperationalN
25The account Name from domain Domain is attempting to use S4USelf for the target …OperationalN
26While processing an AS request for target service Target, the account Name did …OperationalN
27While processing a TGS request for the target server Target, the account Name …OperationalN
28When generating a cross realm referral from domain Domain the KDC was not able …OperationalN
29The Key Distribution Center (KDC) cannot find a suitable certificate to use for …OperationalN
30The Kerberos Key Distribution Center failed to locate the forest or domain …OperationalN
31A ticket to the service Server is issued for accountOperationalN
32The Key Distribution Center (KDC) uses a certificate without KDC Extended Key …OperationalN
33The Key Distribution Center (KDC) encountered failures when updating the krbtgt …OperationalN
34The Key Distribution Center (KDC) has the Dynamic Access Control and Kerberos …OperationalN
35The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) …OperationalN
36The Key Distribution Center (KDC) encountered a ticket that did not contain a …OperationalN
37The Key Distribution Center (KDC) encountered a ticket that did not contain …OperationalN
37The Key Distribution Center (KDC) encountered a ticket that did not contain …SystemY
38The Key Distribution Center (KDC) encountered a ticket that contained …OperationalN
39The Key Distribution Center (KDC) encountered a user certificate that was valid …OperationalN
40The Key Distribution Center (KDC) encountered a user certificate that was valid …OperationalN
41The Key Distribution Center (KDC) encountered a user certificate that was valid …OperationalN
42The Kerberos Key Distribution Center lacks strong keys for accountOperationalN
43The Key Distribution Center (KDC) encountered a ticket that it could not …OperationalN
44The Key Distribution Center (KDC) encountered a ticket that did not contain the …OperationalN
45The Key Distribution Center (KDC) encountered a client certificate that was …OperationalN
100AS exchange performance: AS-REQ processing beginsOperationalN
100AS exchange performance: AS-REQ processing beginsPerformanceN
101AS exchange performance: AS-REP or KRB-ERROR returned:OperationalN
101AS exchange performance: AS-REP or KRB-ERROR returned.PerformanceN
102TGS exchange performance: TGS-REQ processing beginsOperationalN
102TGS exchange performance: TGS-REQ processing beginsPerformanceN
103TGS exchange performance: TGS-REQ or KRB-ERROR returned:OperationalN
103TGS exchange performance: TGS-REQ or KRB-ERROR returned.PerformanceN
104Kerberos preauthentication by using DES or RC4 failed because the account was a …ProtectedUserFailures-DomainControllerN
104Kerberos preauthentication by using DES or RC4 failed because the account was a …OperationalN
105A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not …AuthenticationPolicyFailures-DomainControllerN
105A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not …OperationalN
106A Kerberos service ticket was denied because the user, device, or both does not …AuthenticationPolicyFailures-DomainControllerN
106A Kerberos service ticket was denied because the user, device, or both does not …OperationalN
120The Key Distribution Center (KDC) failed to validate its current KDC …OperationalY
200The Key Distribution Center (KDC) cannot find a suitable certificate to use.OperationalY
201The Key Distribution Center (KDC) detected Cipher usage that will be unsupported …OperationalN
201The Key Distribution Center (KDC) detected Cipher usage that will be unsupported …SystemN
202The Key Distribution Center (KDC) detected Cipher usage that will be unsupported …OperationalN
202The Key Distribution Center (KDC) detected Cipher usage that will be unsupported …SystemN
203The Key Distribution Center (KDC) blocked cipher usage because service …OperationalN
203The Key Distribution Center (KDC) blocked cipher usage because service …SystemN
204The Key Distribution Center (KDC) blocked cipher usage because the service …OperationalN
204The Key Distribution Center (KDC) blocked cipher usage because the service …SystemN
205The Key Distribution Center (KDC) detected explicit insecure cipher enablement …OperationalN
205The Key Distribution Center (KDC) detected explicit insecure cipher enablement …SystemN
206The Key Distribution Center (KDC) detected Cipher usage that will be unsupported …AuthenticationPolicyFailures-DomainControllerN
207The Key Distribution Center (KDC) detected Cipher usage that will be unsupported …OperationalN
208The Key Distribution Center (KDC) blocked cipher usage because service …OperationalN
209The Key Distribution Center (KDC) blocked cipher usage because the service …OperationalN
300The Key Distribution Center (KDC) is being started.OperationalY
301The Key Distribution Center (KDC) has stopped with error code: ErrorCode.OperationalN
302The Key Distribution Center (KDC) uses the below KDC certificate for smart card …OperationalY
303A Kerberos ticket-granting-ticket (TGT) was issued for a member of the Protected …ProtectedUserSuccesses-DomainControllerN
303A Kerberos ticket-granting-ticket (TGT) was issued for a member of the Protected …OperationalN
304A Kerberos service ticket was issued for a member of the Protected User group.ProtectedUserSuccesses-DomainControllerN
304A Kerberos service ticket was issued for a member of the Protected User groupOperationalN
305A Kerberos ticket-granting-ticket (TGT) was issued, but it will be denied when …AuthenticationPolicyFailures-DomainControllerN
305A Kerberos ticket-granting-ticket (TGT) was issued, but it will be denied when …OperationalN
306A Kerberos service ticket was issued, but it will be denied when Authentication …AuthenticationPolicyFailures-DomainControllerN
306A Kerberos service ticket was issued, but it will be denied when Authentication …OperationalN
307The Key Distribution Center (KDC) used the PKINIT protocol with encryption mode …OperationalN
308The Key Distribution Center (KDC) is unable to use the PKINIT protocol because …OperationalN
309The kerberos client used a hash algorithm for the PKINIT protocol that is being …OperationalN
310The kerberos client used a hash algorithm for the PKINIT protocol that is not …OperationalN
311The Kerberos client did not supply a supported encryption type for use with the …OperationalN
312The Key Distribution Center (KDC) has an invalid hash algorithm configuration …OperationalN
313The Key Distribution Center (KDC) encountered invalid certificate strong name …OperationalN
314An unauthorized Kerberos client attempted to fetch DMSA keys.OperationalN
315A Kerberos client attempted to fetch DMSA keys.OperationalN
400A Kerberos authentication ticket (TGT) was requested.OperationalN
401A Kerberos service ticket was requested.OperationalN
2147483651Could not find principal Principal.OperationalN
2147483652Domain Domain propagated to us but did not authenticate.OperationalN
2147483660A request failed from client realm ClientRealm for a ticket in realm Realm.OperationalN
2147483667This event indicates an attempt was made to use smartcard logon, but the KDC is …OperationalN
2147483668The currently selected KDC certificate was once valid, but now is invalid and no …OperationalN
2147483669The client certificate for the user Domain\Username is not valid, and resulted …OperationalN
2147483670The KDC encountered a trust loop when building a list of trusted domains.OperationalN
2147483671The KDC received invalid messages of type Type.OperationalN
2147483672A service ticket request by client Client for Server was rejected because …OperationalN
2147483673The account Name from domain Domain is attempting to use S4USelf for the target …OperationalN
2147483676When generating a cross realm referral from domain Domain the KDC was not able …OperationalN
2147483677The Key Distribution Center (KDC) cannot find a suitable certificate to use for …OperationalN
2147483678The Kerberos Key Distribution Center failed to locate the forest or domain …OperationalN
2147483679A ticket to the service Server is issued for account Account.OperationalN
2147483680The Key Distribution Center (KDC) uses a certificate without KDC Extended Key …OperationalN
2147483681The Key Distribution Center (KDC) encountered failures when updating the krbtgt …OperationalN
2147483682The Key Distribution Center (KDC) has the Dynamic Access Control and Kerberos …OperationalN
2147483683The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) …OperationalN
2147483684The Key Distribution Center (KDC) encountered a ticket that did not contain a …OperationalN
2147483685The Key Distribution Center (KDC) encountered a ticket that did not contain …OperationalN
2147483686The Key Distribution Center (KDC) encountered a ticket that contained …OperationalN
2147483687The Key Distribution Center (KDC) encountered a user certificate that was valid …OperationalN
2147483688The Key Distribution Center (KDC) encountered a user certificate that was valid …OperationalN
2147483689The Key Distribution Center (KDC) encountered a user certificate that was valid …OperationalN
2147483690The Kerberos Key Distribution Center lacks strong keys for account %1.OperationalN
2147483691The Key Distribution Center (KDC) encountered a ticket that it could not …OperationalN
2147483692The Key Distribution Center (KDC) encountered a ticket that did not contained …OperationalN
2147483693The Key Distribution Center (KDC) encountered a client certificate that was …OperationalN
3221225477The KDC failed to update policy class Class.OperationalN
3221225478The KDC failed to update the trusted domain list.OperationalN
3221225479The Security Account Manager failed a KDC request in an unexpected way.OperationalN
3221225480The account AccountName did not have a suitable key for generating a Kerberos …OperationalN
3221225482The attempt to change the password on the KRBTGT account failed.OperationalN
3221225483The KDC encountered duplicate names while processing a Kerberos authentication …OperationalN
3221225485The account for Name has corrupt keys stored in the DS.OperationalN
3221225486While processing an AS request for target service Target, the account Account …OperationalN
3221225487The request for an AS ticket for client Client was forwarded to the PDC.OperationalN
3221225488While processing a TGS request for the target server Target, the account Account …OperationalN
3221225489When updating policy class Class, the KDC encountered invalid policy data and …OperationalN
3221225490During TGS processing, the KDC was unable to verify the signature on the PAC …OperationalN
3221225498While processing an AS request for target service Target, the account Name did …OperationalN
3221225499While processing a TGS request for the target server Target, the account Name …OperationalN

Event ID 3: Could not find principal

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Principal UnicodeString
__binLength UInt32
binary Binary

Event ID 4: Domain Domain propagated to us but did not authenticate

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Domain UnicodeString
__binLength UInt32
binary Binary

Event ID 5: The KDC failed to update policy class

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Class UnicodeString
__binLength UInt32
binary Binary

Event ID 6: The KDC failed to update the trusted domain list

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Event ID 7: The Security Account Manager failed a KDC request in an unexpected way

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
AccountName UnicodeString
LookupType UnicodeString
__binLength UInt32
binary Binary

Event ID 8: The account AccountName did not have a suitable key for generating a Kerberos ticket

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
AccountName UnicodeString
__binLength UInt32
binary Binary

Event ID 9: The password on the KRBTGT account was changed.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The password on the KRBTGT account was changed.

Message #

The password on the KRBTGT account was changed.

Event ID 10: The attempt to change the password on the KRBTGT account failed

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Event ID 11: The KDC encountered duplicate names while processing a Kerberos authentication request

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Name UnicodeString
Type UnicodeString
__binLength UInt32
binary Binary

Event ID 12: A request failed from client realm ClientRealm for a ticket in realm

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
ClientRealm UnicodeString
Realm UnicodeString
__binLength UInt32
binary Binary

Event ID 13: The account for Name has corrupt keys stored in the DS

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Name UnicodeString
__binLength UInt32
binary Binary

Event ID 14: While processing an AS request for target service Target, the account Account did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of ID)

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Target UnicodeString
Account UnicodeString
ID UnicodeString
RequestedEtypes UnicodeString
AvailableEtypes UnicodeString
AccountToReset UnicodeString
__binLength UInt32
binary Binary

Event ID 15: The request for an AS ticket for client Client was forwarded to the PDC

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Client UnicodeString
__binLength UInt32
binary Binary

Event ID 16: While processing a TGS request for the target server Target, the account Account did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of ID)

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Target UnicodeString
Account UnicodeString
ID UnicodeString
RequestedEtypes UnicodeString
AvailableEtypes UnicodeString
AccountToReset UnicodeString
__binLength UInt32
binary Binary

Event ID 17: When updating policy class Class, the KDC encountered invalid policy data and has failed to update the policy

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Class UnicodeString
__binLength UInt32
binary Binary

Event ID 18: During TGS processing, the KDC was unable to verify the signature on the PAC from

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Name UnicodeString
__binLength UInt32
binary Binary

Event ID 19: This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Event ID 20: The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Event ID 21: The client certificate for the user Domain\Username is not valid, and resulted in a failed smartcard logon

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Domain UnicodeString
Username UnicodeString
Status UnicodeStringNTSTATUS reference
__binLength UInt32
binary Binary

Event ID 22: The KDC encountered a trust loop when building a list of trusted domains

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Domain UnicodeString
__binLength UInt32
binary Binary

Event ID 23: The KDC received invalid messages of type

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Type UnicodeString
__binLength UInt32
binary Binary

Event ID 24: A service ticket request by client Client for Server was rejected because User2User was required

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Client UnicodeString
Server UnicodeString
__binLength UInt32
binary Binary

Event ID 25: The account Name from domain Domain is attempting to use S4USelf for the target client Target, but is not allowed to perform group expansion on this client's user object

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Name UnicodeString
Domain UnicodeString
Target UnicodeString
__binLength UInt32
binary Binary

Event ID 26: While processing an AS request for target service Target, the account Name did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of ID)

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Target UnicodeString
Name UnicodeString
ID UnicodeString
RequestedEtypes UnicodeString
AvailableETypes UnicodeString
__binLength UInt32
binary Binary

Event ID 27: While processing a TGS request for the target server Target, the account Name did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of ID)

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Target UnicodeString
Name UnicodeString
ID UnicodeString
RequestedEtypes UnicodeString
AvailableETypes UnicodeString
__binLength UInt32
binary Binary

Event ID 28: When generating a cross realm referral from domain Domain the KDC was not able to find the suitable key to verify the ticket

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Domain UnicodeString
RequestedKeyVersion UnicodeString
AvailableKeyVersion UnicodeString
__binLength UInt32
binary Binary

Event ID 29: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Event ID 30: The Kerberos Key Distribution Center failed to locate the forest or domain Forest to search

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Forest UnicodeString
__binLength UInt32
binary Binary

Event ID 31: A ticket to the service Server is issued for account

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
Account UnicodeString
Server UnicodeString
EncryptedTicketSize UnicodeString
TicketSizeThreshold UnicodeString
__binLength UInt32
binary Binary

Event ID 32: The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device certificate logon and smart card logon from non-doma...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Event ID 33: The Key Distribution Center (KDC) encountered failures when updating the krbtgt account for the Dynamic Access Control and Kerberos armoring policy capability for the domain

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Event ID 34: The Key Distribution Center (KDC) has the Dynamic Access Control and Kerberos armoring policy configured for a level which requires a higher domain functional level

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Event ID 35: The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) from another KDC (IssuingKDC) that did not contain a PAC attributes field

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
IssuingKDC UnicodeString
__binLength UInt32
binary Binary

Detection Patterns #

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
Provider_NameeqMicrosoft-Windows-Kerberos-Key-Distribution-Center1 rulesigma

Event ID 36: The Key Distribution Center (KDC) encountered a ticket that did not contain a PAC while processing a request for another ticket

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
ClientRealm UnicodeString
ClientName UnicodeString
ServerName UnicodeString
__binLength UInt32
binary Binary

Detection Patterns #

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
Provider_NameeqMicrosoft-Windows-Kerberos-Key-Distribution-Center1 rulesigma

Event ID 37: The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
IssuingKDC UnicodeString
ClientRealm UnicodeString
ClientName UnicodeString
ServerName UnicodeString
__binLength UInt32
binary Binary

Detection Patterns #

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
Provider_NameeqMicrosoft-Windows-Kerberos-Key-Distribution-Center1 rulesigma

Event ID 37: The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
System
Level
Warning

Fields #

NameDescription
IssuingKDC
ClientRealm
ClientName
ServerName
__binLength
binary

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kerberos-Key-Distribution-Center",
    "guid": "{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}",
    "event_source_name": "KDC",
    "event_id": 37,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T17:05:19.030305+00:00",
    "event_record_id": 10648,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IssuingKDC": "LAB-DC01",
    "ClientRealm": "LUDUS.DOMAIN",
    "ClientName": "domainadmin",
    "ServerName": "krbtgt",
    "Binary": ""
  },
  "message": ""
}

Detection Patterns #

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
Provider_NameeqMicrosoft-Windows-Kerberos-Key-Distribution-Center1 rulesigma

Event ID 38: The Key Distribution Center (KDC) encountered a ticket that contained inconsistent information about the account that requested the ticket

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
IssuingKDC UnicodeString
ClientRealm UnicodeString
ClientName UnicodeString
ServerName UnicodeString
ActiveDirectorySID UnicodeString
TicketSID UnicodeString
__binLength UInt32
binary Binary

Detection Patterns #

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

FieldKindValueRulesVendors
Provider_NameeqMicrosoft-Windows-Kerberos-Key-Distribution-Center1 rulesigma

Event ID 39: The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID)

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
AccountName UnicodeString
Subject UnicodeString
Issuer UnicodeString
SerialNumber UnicodeString
Thumbprint UnicodeString
IssuancePolicies UnicodeString
__binLength UInt32
binary Binary

Event ID 40: The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID)

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
AccountName UnicodeString
Subject UnicodeString
Issuer UnicodeString
SerialNumber UnicodeString
Thumbprint UnicodeString
IssuancePolicies UnicodeString
IssuanceTime UnicodeString
AccountCreationTime UnicodeString
__binLength UInt32
binary Binary

Event ID 41: The Key Distribution Center (KDC) encountered a user certificate that was valid but contained a different SID than the user to which it mapped

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
AccountName UnicodeString
AccountSid UnicodeString
Subject UnicodeString
Issuer UnicodeString
SerialNumber UnicodeString
Thumbprint UnicodeString
IssuancePolicies UnicodeString
CertificateSid UnicodeString
__binLength UInt32
binary Binary

Event ID 42: The Kerberos Key Distribution Center lacks strong keys for account

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
AccountName UnicodeString
__binLength UInt32
binary Binary

Event ID 43: The Key Distribution Center (KDC) encountered a ticket that it could not validate the full PAC Signature

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
ClientRealm UnicodeString
ClientName UnicodeString
__binLength UInt32
binary Binary

Event ID 44: The Key Distribution Center (KDC) encountered a ticket that did not contain the full PAC Signature

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
ClientRealm UnicodeString
ClientName UnicodeString
__binLength UInt32
binary Binary

Event ID 45: The Key Distribution Center (KDC) encountered a client certificate that was valid but did not chain to a root in the NTAuth store

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
AccountName UnicodeString
Subject UnicodeString
Issuer UnicodeString
SerialNumber UnicodeString
Thumbprint UnicodeString
__binLength UInt32
binary Binary

Event ID 100: AS exchange performance: AS-REQ processing begins

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
KDCPerformance
Opcode
Start

Description

AS exchange performance: AS-REQ processing begins.

Event ID 100: AS exchange performance: AS-REQ processing begins

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Performance
Task
KDCPerformance
Opcode
Start

Description

AS exchange performance: AS-REQ processing begins.

Message #

AS exchange performance: AS-REQ processing begins

Event ID 101: AS exchange performance: AS-REP or KRB-ERROR returned:

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
KDCPerformance
Opcode
Stop

Description

AS exchange performance: AS-REP or KRB-ERROR returned.

Fields #

NameDescription
ClientDomain UnicodeString
ClientName UnicodeString
ServerDomain UnicodeString
ServerName UnicodeString
ErrorCode UInt32
Known values
0
KDC_ERR_NONE - no error
1
KDC_ERR_NAME_EXP - client entry in KDC database has expired
2
KDC_ERR_SERVICE_EXP - server entry in KDC database has expired
3
KDC_ERR_BAD_PVNO - requested Kerberos version number not supported
4
KDC_ERR_C_OLD_MAST_KVNO - client key encrypted in old master key
5
KDC_ERR_S_OLD_MAST_KVNO - server key encrypted in old master key
6
KDC_ERR_C_PRINCIPAL_UNKNOWN - client not found in Kerberos database
7
KDC_ERR_S_PRINCIPAL_UNKNOWN - server not found in Kerberos database
8
KDC_ERR_PRINCIPAL_NOT_UNIQUE - multiple principal entries in KDC database
9
KDC_ERR_NULL_KEY - the client or server has a null key (master key)
10
KDC_ERR_CANNOT_POSTDATE - ticket not eligible for postdating
11
KDC_ERR_NEVER_VALID - requested starttime is later than end time
12
KDC_ERR_POLICY - KDC policy rejects request
13
KDC_ERR_BADOPTION - KDC cannot accommodate requested option
14
KDC_ERR_ETYPE_NOTSUPP - KDC has no support for encryption type
15
KDC_ERR_SUMTYPE_NOSUPP - KDC has no support for checksum type
16
KDC_ERR_PADATA_TYPE_NOSUPP - KDC has no support for PADATA type (pre-authentication data)
17
KDC_ERR_TRTYPE_NO_SUPP - KDC has no support for transited type
18
KDC_ERR_CLIENT_REVOKED - client credentials have been revoked
19
KDC_ERR_SERVICE_REVOKED - credentials for server have been revoked
20
KDC_ERR_TGT_REVOKED - TGT has been revoked
21
KDC_ERR_CLIENT_NOTYET - client not yet valid; try again later
22
KDC_ERR_SERVICE_NOTYET - server not yet valid; try again later
23
KDC_ERR_KEY_EXPIRED - password has expired; change password to reset
24
KDC_ERR_PREAUTH_FAILED - pre-authentication information was invalid
25
KDC_ERR_PREAUTH_REQUIRED - additional pre-authentication required
26
KDC_ERR_SERVER_NOMATCH - KDC does not know about the requested server
27
KDC_ERR_MUST_USE_USER2USER - server principal valid for user-to-user only (RFC 4120 §7.5.9; MS Learn event-4771 uses this label at decimal 27 / 0x1b)
28
KDC_ERR_PATH_NOT_ACCEPTED - KDC policy rejects transited path (RFC 4120 §7.5.9)
29
KDC_ERR_SVC_UNAVAILABLE - a service is not available (RFC 4120 §7.5.9; previously catalog assigned this label to code 27)
31
KRB_AP_ERR_BAD_INTEGRITY - integrity check on decrypted field failed
32
KRB_AP_ERR_TKT_EXPIRED - the ticket has expired
33
KRB_AP_ERR_TKT_NYV - the ticket is not yet valid
34
KRB_AP_ERR_REPEAT - the request is a replay
35
KRB_AP_ERR_NOT_US - the ticket is not for us
36
KRB_AP_ERR_BADMATCH - the ticket and authenticator do not match
37
KRB_AP_ERR_SKEW - the clock skew is too great
38
KRB_AP_ERR_BADADDR - incorrect net address (RFC 4120 §7.5.9)
39
KRB_AP_ERR_BADVERSION - protocol version mismatch (RFC 4120 §7.5.9)
40
KRB_AP_ERR_MSG_TYPE - invalid message type (RFC 4120 §7.5.9)
41
KRB_AP_ERR_MODIFIED - message stream modified and checksum did not match
42
KRB_AP_ERR_BADORDER - message out of order (RFC 4120 §7.5.9)
44
KRB_AP_ERR_BADKEYVER - specified version of key is not available
45
KRB_AP_ERR_NOKEY - service key not available
46
KRB_AP_ERR_MUT_FAIL - mutual authentication failed
47
KRB_AP_ERR_BADDIRECTION - incorrect message direction (RFC 4120 §7.5.9)
48
KRB_AP_ERR_METHOD - alternative authentication method required (RFC 4120 §7.5.9)
49
KRB_AP_ERR_BADSEQ - incorrect sequence number in message (RFC 4120 §7.5.9)
50
KRB_AP_ERR_INAPP_CKSUM - inappropriate type of checksum in message (RFC 4120 §7.5.9)
51
KRB_AP_PATH_NOT_ACCEPTED - policy rejects transited path (RFC 4120 §7.5.9)
52
KRB_ERR_RESPONSE_TOO_BIG - response too big for UDP; retry with TCP (RFC 4120 §7.5.9)
60
KRB_ERR_GENERIC - generic error (see e-data)
61
KRB_ERR_FIELD_TOOLONG - field is too long for this implementation
62
KDC_ERR_CLIENT_NOT_TRUSTED - reserved for PKINIT
63
KDC_ERR_KDC_NOT_TRUSTED - reserved for PKINIT
64
KDC_ERR_INVALID_SIG - reserved for PKINIT
65
KDC_ERR_KEY_TOO_WEAK - reserved for PKINIT (Microsoft label per MS Learn event-4768/4771; RFC 4556 §6 names this KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED)
66
KDC_ERR_CERTIFICATE_MISMATCH - reserved for PKINIT (RFC 4556 §6)
67
KRB_AP_ERR_NO_TGT - no TGT supplied for user-to-user authentication (RFC 4120 §7.5.9)
68
KDC_ERR_WRONG_REALM - incorrect domain or principal
69
KRB_AP_ERR_USER_TO_USER_REQUIRED - server requires user-to-user authentication (RFC 4120 §7.5.9)
TimeSpent UInt32

References #

Event ID 101: AS exchange performance: AS-REP or KRB-ERROR returned.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Performance
Task
KDCPerformance
Opcode
Stop

Description

AS exchange performance: AS-REP or KRB-ERROR returned.

Message #

AS exchange performance: AS-REP or KRB-ERROR returned:

    client domain: %1
    client name: %2
    server domain: %3
    server name: %4
    ErrorCode: %5
    elapse: %6 milliseconds

Fields #

NameDescription
ClientDomain UnicodeString
ClientName UnicodeString
ServerDomain UnicodeString
ServerName UnicodeString
ErrorCode UInt32
Known values
0
KDC_ERR_NONE - no error
1
KDC_ERR_NAME_EXP - client entry in KDC database has expired
2
KDC_ERR_SERVICE_EXP - server entry in KDC database has expired
3
KDC_ERR_BAD_PVNO - requested Kerberos version number not supported
4
KDC_ERR_C_OLD_MAST_KVNO - client key encrypted in old master key
5
KDC_ERR_S_OLD_MAST_KVNO - server key encrypted in old master key
6
KDC_ERR_C_PRINCIPAL_UNKNOWN - client not found in Kerberos database
7
KDC_ERR_S_PRINCIPAL_UNKNOWN - server not found in Kerberos database
8
KDC_ERR_PRINCIPAL_NOT_UNIQUE - multiple principal entries in KDC database
9
KDC_ERR_NULL_KEY - the client or server has a null key (master key)
10
KDC_ERR_CANNOT_POSTDATE - ticket not eligible for postdating
11
KDC_ERR_NEVER_VALID - requested starttime is later than end time
12
KDC_ERR_POLICY - KDC policy rejects request
13
KDC_ERR_BADOPTION - KDC cannot accommodate requested option
14
KDC_ERR_ETYPE_NOTSUPP - KDC has no support for encryption type
15
KDC_ERR_SUMTYPE_NOSUPP - KDC has no support for checksum type
16
KDC_ERR_PADATA_TYPE_NOSUPP - KDC has no support for PADATA type (pre-authentication data)
17
KDC_ERR_TRTYPE_NO_SUPP - KDC has no support for transited type
18
KDC_ERR_CLIENT_REVOKED - client credentials have been revoked
19
KDC_ERR_SERVICE_REVOKED - credentials for server have been revoked
20
KDC_ERR_TGT_REVOKED - TGT has been revoked
21
KDC_ERR_CLIENT_NOTYET - client not yet valid; try again later
22
KDC_ERR_SERVICE_NOTYET - server not yet valid; try again later
23
KDC_ERR_KEY_EXPIRED - password has expired; change password to reset
24
KDC_ERR_PREAUTH_FAILED - pre-authentication information was invalid
25
KDC_ERR_PREAUTH_REQUIRED - additional pre-authentication required
26
KDC_ERR_SERVER_NOMATCH - KDC does not know about the requested server
27
KDC_ERR_MUST_USE_USER2USER - server principal valid for user-to-user only (RFC 4120 §7.5.9; MS Learn event-4771 uses this label at decimal 27 / 0x1b)
28
KDC_ERR_PATH_NOT_ACCEPTED - KDC policy rejects transited path (RFC 4120 §7.5.9)
29
KDC_ERR_SVC_UNAVAILABLE - a service is not available (RFC 4120 §7.5.9; previously catalog assigned this label to code 27)
31
KRB_AP_ERR_BAD_INTEGRITY - integrity check on decrypted field failed
32
KRB_AP_ERR_TKT_EXPIRED - the ticket has expired
33
KRB_AP_ERR_TKT_NYV - the ticket is not yet valid
34
KRB_AP_ERR_REPEAT - the request is a replay
35
KRB_AP_ERR_NOT_US - the ticket is not for us
36
KRB_AP_ERR_BADMATCH - the ticket and authenticator do not match
37
KRB_AP_ERR_SKEW - the clock skew is too great
38
KRB_AP_ERR_BADADDR - incorrect net address (RFC 4120 §7.5.9)
39
KRB_AP_ERR_BADVERSION - protocol version mismatch (RFC 4120 §7.5.9)
40
KRB_AP_ERR_MSG_TYPE - invalid message type (RFC 4120 §7.5.9)
41
KRB_AP_ERR_MODIFIED - message stream modified and checksum did not match
42
KRB_AP_ERR_BADORDER - message out of order (RFC 4120 §7.5.9)
44
KRB_AP_ERR_BADKEYVER - specified version of key is not available
45
KRB_AP_ERR_NOKEY - service key not available
46
KRB_AP_ERR_MUT_FAIL - mutual authentication failed
47
KRB_AP_ERR_BADDIRECTION - incorrect message direction (RFC 4120 §7.5.9)
48
KRB_AP_ERR_METHOD - alternative authentication method required (RFC 4120 §7.5.9)
49
KRB_AP_ERR_BADSEQ - incorrect sequence number in message (RFC 4120 §7.5.9)
50
KRB_AP_ERR_INAPP_CKSUM - inappropriate type of checksum in message (RFC 4120 §7.5.9)
51
KRB_AP_PATH_NOT_ACCEPTED - policy rejects transited path (RFC 4120 §7.5.9)
52
KRB_ERR_RESPONSE_TOO_BIG - response too big for UDP; retry with TCP (RFC 4120 §7.5.9)
60
KRB_ERR_GENERIC - generic error (see e-data)
61
KRB_ERR_FIELD_TOOLONG - field is too long for this implementation
62
KDC_ERR_CLIENT_NOT_TRUSTED - reserved for PKINIT
63
KDC_ERR_KDC_NOT_TRUSTED - reserved for PKINIT
64
KDC_ERR_INVALID_SIG - reserved for PKINIT
65
KDC_ERR_KEY_TOO_WEAK - reserved for PKINIT (Microsoft label per MS Learn event-4768/4771; RFC 4556 §6 names this KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED)
66
KDC_ERR_CERTIFICATE_MISMATCH - reserved for PKINIT (RFC 4556 §6)
67
KRB_AP_ERR_NO_TGT - no TGT supplied for user-to-user authentication (RFC 4120 §7.5.9)
68
KDC_ERR_WRONG_REALM - incorrect domain or principal
69
KRB_AP_ERR_USER_TO_USER_REQUIRED - server requires user-to-user authentication (RFC 4120 §7.5.9)
TimeSpent UInt32

Event ID 102: TGS exchange performance: TGS-REQ processing begins

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
KDCPerformance
Opcode
Start

Description

TGS exchange performance: TGS-REQ processing begins.

Event ID 102: TGS exchange performance: TGS-REQ processing begins

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Performance
Task
KDCPerformance
Opcode
Start

Description

TGS exchange performance: TGS-REQ processing begins.

Message #

TGS exchange performance: TGS-REQ processing begins

Event ID 103: TGS exchange performance: TGS-REQ or KRB-ERROR returned:

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
KDCPerformance
Opcode
Stop

Description

TGS exchange performance: TGS-REQ or KRB-ERROR returned.

Fields #

NameDescription
ClientDomain UnicodeString
ClientName UnicodeString
ServerDomain UnicodeString
ServerName UnicodeString
ErrorCode UInt32
Known values
0
KDC_ERR_NONE - no error
1
KDC_ERR_NAME_EXP - client entry in KDC database has expired
2
KDC_ERR_SERVICE_EXP - server entry in KDC database has expired
3
KDC_ERR_BAD_PVNO - requested Kerberos version number not supported
4
KDC_ERR_C_OLD_MAST_KVNO - client key encrypted in old master key
5
KDC_ERR_S_OLD_MAST_KVNO - server key encrypted in old master key
6
KDC_ERR_C_PRINCIPAL_UNKNOWN - client not found in Kerberos database
7
KDC_ERR_S_PRINCIPAL_UNKNOWN - server not found in Kerberos database
8
KDC_ERR_PRINCIPAL_NOT_UNIQUE - multiple principal entries in KDC database
9
KDC_ERR_NULL_KEY - the client or server has a null key (master key)
10
KDC_ERR_CANNOT_POSTDATE - ticket not eligible for postdating
11
KDC_ERR_NEVER_VALID - requested starttime is later than end time
12
KDC_ERR_POLICY - KDC policy rejects request
13
KDC_ERR_BADOPTION - KDC cannot accommodate requested option
14
KDC_ERR_ETYPE_NOTSUPP - KDC has no support for encryption type
15
KDC_ERR_SUMTYPE_NOSUPP - KDC has no support for checksum type
16
KDC_ERR_PADATA_TYPE_NOSUPP - KDC has no support for PADATA type (pre-authentication data)
17
KDC_ERR_TRTYPE_NO_SUPP - KDC has no support for transited type
18
KDC_ERR_CLIENT_REVOKED - client credentials have been revoked
19
KDC_ERR_SERVICE_REVOKED - credentials for server have been revoked
20
KDC_ERR_TGT_REVOKED - TGT has been revoked
21
KDC_ERR_CLIENT_NOTYET - client not yet valid; try again later
22
KDC_ERR_SERVICE_NOTYET - server not yet valid; try again later
23
KDC_ERR_KEY_EXPIRED - password has expired; change password to reset
24
KDC_ERR_PREAUTH_FAILED - pre-authentication information was invalid
25
KDC_ERR_PREAUTH_REQUIRED - additional pre-authentication required
26
KDC_ERR_SERVER_NOMATCH - KDC does not know about the requested server
27
KDC_ERR_MUST_USE_USER2USER - server principal valid for user-to-user only (RFC 4120 §7.5.9; MS Learn event-4771 uses this label at decimal 27 / 0x1b)
28
KDC_ERR_PATH_NOT_ACCEPTED - KDC policy rejects transited path (RFC 4120 §7.5.9)
29
KDC_ERR_SVC_UNAVAILABLE - a service is not available (RFC 4120 §7.5.9; previously catalog assigned this label to code 27)
31
KRB_AP_ERR_BAD_INTEGRITY - integrity check on decrypted field failed
32
KRB_AP_ERR_TKT_EXPIRED - the ticket has expired
33
KRB_AP_ERR_TKT_NYV - the ticket is not yet valid
34
KRB_AP_ERR_REPEAT - the request is a replay
35
KRB_AP_ERR_NOT_US - the ticket is not for us
36
KRB_AP_ERR_BADMATCH - the ticket and authenticator do not match
37
KRB_AP_ERR_SKEW - the clock skew is too great
38
KRB_AP_ERR_BADADDR - incorrect net address (RFC 4120 §7.5.9)
39
KRB_AP_ERR_BADVERSION - protocol version mismatch (RFC 4120 §7.5.9)
40
KRB_AP_ERR_MSG_TYPE - invalid message type (RFC 4120 §7.5.9)
41
KRB_AP_ERR_MODIFIED - message stream modified and checksum did not match
42
KRB_AP_ERR_BADORDER - message out of order (RFC 4120 §7.5.9)
44
KRB_AP_ERR_BADKEYVER - specified version of key is not available
45
KRB_AP_ERR_NOKEY - service key not available
46
KRB_AP_ERR_MUT_FAIL - mutual authentication failed
47
KRB_AP_ERR_BADDIRECTION - incorrect message direction (RFC 4120 §7.5.9)
48
KRB_AP_ERR_METHOD - alternative authentication method required (RFC 4120 §7.5.9)
49
KRB_AP_ERR_BADSEQ - incorrect sequence number in message (RFC 4120 §7.5.9)
50
KRB_AP_ERR_INAPP_CKSUM - inappropriate type of checksum in message (RFC 4120 §7.5.9)
51
KRB_AP_PATH_NOT_ACCEPTED - policy rejects transited path (RFC 4120 §7.5.9)
52
KRB_ERR_RESPONSE_TOO_BIG - response too big for UDP; retry with TCP (RFC 4120 §7.5.9)
60
KRB_ERR_GENERIC - generic error (see e-data)
61
KRB_ERR_FIELD_TOOLONG - field is too long for this implementation
62
KDC_ERR_CLIENT_NOT_TRUSTED - reserved for PKINIT
63
KDC_ERR_KDC_NOT_TRUSTED - reserved for PKINIT
64
KDC_ERR_INVALID_SIG - reserved for PKINIT
65
KDC_ERR_KEY_TOO_WEAK - reserved for PKINIT (Microsoft label per MS Learn event-4768/4771; RFC 4556 §6 names this KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED)
66
KDC_ERR_CERTIFICATE_MISMATCH - reserved for PKINIT (RFC 4556 §6)
67
KRB_AP_ERR_NO_TGT - no TGT supplied for user-to-user authentication (RFC 4120 §7.5.9)
68
KDC_ERR_WRONG_REALM - incorrect domain or principal
69
KRB_AP_ERR_USER_TO_USER_REQUIRED - server requires user-to-user authentication (RFC 4120 §7.5.9)
TimeSpent UInt32

References #

Event ID 103: TGS exchange performance: TGS-REQ or KRB-ERROR returned.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Performance
Task
KDCPerformance
Opcode
Stop

Description

TGS exchange performance: TGS-REQ or KRB-ERROR returned.

Message #

TGS exchange performance: TGS-REQ or KRB-ERROR returned:

    client domain: %1
    client name: %2
    server domain: %3
    server name: %4
    ErrorCode: %5
    elapse: %6 milliseconds

Fields #

NameDescription
ClientDomain UnicodeString
ClientName UnicodeString
ServerDomain UnicodeString
ServerName UnicodeString
ErrorCode UInt32
Known values
0
KDC_ERR_NONE - no error
1
KDC_ERR_NAME_EXP - client entry in KDC database has expired
2
KDC_ERR_SERVICE_EXP - server entry in KDC database has expired
3
KDC_ERR_BAD_PVNO - requested Kerberos version number not supported
4
KDC_ERR_C_OLD_MAST_KVNO - client key encrypted in old master key
5
KDC_ERR_S_OLD_MAST_KVNO - server key encrypted in old master key
6
KDC_ERR_C_PRINCIPAL_UNKNOWN - client not found in Kerberos database
7
KDC_ERR_S_PRINCIPAL_UNKNOWN - server not found in Kerberos database
8
KDC_ERR_PRINCIPAL_NOT_UNIQUE - multiple principal entries in KDC database
9
KDC_ERR_NULL_KEY - the client or server has a null key (master key)
10
KDC_ERR_CANNOT_POSTDATE - ticket not eligible for postdating
11
KDC_ERR_NEVER_VALID - requested starttime is later than end time
12
KDC_ERR_POLICY - KDC policy rejects request
13
KDC_ERR_BADOPTION - KDC cannot accommodate requested option
14
KDC_ERR_ETYPE_NOTSUPP - KDC has no support for encryption type
15
KDC_ERR_SUMTYPE_NOSUPP - KDC has no support for checksum type
16
KDC_ERR_PADATA_TYPE_NOSUPP - KDC has no support for PADATA type (pre-authentication data)
17
KDC_ERR_TRTYPE_NO_SUPP - KDC has no support for transited type
18
KDC_ERR_CLIENT_REVOKED - client credentials have been revoked
19
KDC_ERR_SERVICE_REVOKED - credentials for server have been revoked
20
KDC_ERR_TGT_REVOKED - TGT has been revoked
21
KDC_ERR_CLIENT_NOTYET - client not yet valid; try again later
22
KDC_ERR_SERVICE_NOTYET - server not yet valid; try again later
23
KDC_ERR_KEY_EXPIRED - password has expired; change password to reset
24
KDC_ERR_PREAUTH_FAILED - pre-authentication information was invalid
25
KDC_ERR_PREAUTH_REQUIRED - additional pre-authentication required
26
KDC_ERR_SERVER_NOMATCH - KDC does not know about the requested server
27
KDC_ERR_MUST_USE_USER2USER - server principal valid for user-to-user only (RFC 4120 §7.5.9; MS Learn event-4771 uses this label at decimal 27 / 0x1b)
28
KDC_ERR_PATH_NOT_ACCEPTED - KDC policy rejects transited path (RFC 4120 §7.5.9)
29
KDC_ERR_SVC_UNAVAILABLE - a service is not available (RFC 4120 §7.5.9; previously catalog assigned this label to code 27)
31
KRB_AP_ERR_BAD_INTEGRITY - integrity check on decrypted field failed
32
KRB_AP_ERR_TKT_EXPIRED - the ticket has expired
33
KRB_AP_ERR_TKT_NYV - the ticket is not yet valid
34
KRB_AP_ERR_REPEAT - the request is a replay
35
KRB_AP_ERR_NOT_US - the ticket is not for us
36
KRB_AP_ERR_BADMATCH - the ticket and authenticator do not match
37
KRB_AP_ERR_SKEW - the clock skew is too great
38
KRB_AP_ERR_BADADDR - incorrect net address (RFC 4120 §7.5.9)
39
KRB_AP_ERR_BADVERSION - protocol version mismatch (RFC 4120 §7.5.9)
40
KRB_AP_ERR_MSG_TYPE - invalid message type (RFC 4120 §7.5.9)
41
KRB_AP_ERR_MODIFIED - message stream modified and checksum did not match
42
KRB_AP_ERR_BADORDER - message out of order (RFC 4120 §7.5.9)
44
KRB_AP_ERR_BADKEYVER - specified version of key is not available
45
KRB_AP_ERR_NOKEY - service key not available
46
KRB_AP_ERR_MUT_FAIL - mutual authentication failed
47
KRB_AP_ERR_BADDIRECTION - incorrect message direction (RFC 4120 §7.5.9)
48
KRB_AP_ERR_METHOD - alternative authentication method required (RFC 4120 §7.5.9)
49
KRB_AP_ERR_BADSEQ - incorrect sequence number in message (RFC 4120 §7.5.9)
50
KRB_AP_ERR_INAPP_CKSUM - inappropriate type of checksum in message (RFC 4120 §7.5.9)
51
KRB_AP_PATH_NOT_ACCEPTED - policy rejects transited path (RFC 4120 §7.5.9)
52
KRB_ERR_RESPONSE_TOO_BIG - response too big for UDP; retry with TCP (RFC 4120 §7.5.9)
60
KRB_ERR_GENERIC - generic error (see e-data)
61
KRB_ERR_FIELD_TOOLONG - field is too long for this implementation
62
KDC_ERR_CLIENT_NOT_TRUSTED - reserved for PKINIT
63
KDC_ERR_KDC_NOT_TRUSTED - reserved for PKINIT
64
KDC_ERR_INVALID_SIG - reserved for PKINIT
65
KDC_ERR_KEY_TOO_WEAK - reserved for PKINIT (Microsoft label per MS Learn event-4768/4771; RFC 4556 §6 names this KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED)
66
KDC_ERR_CERTIFICATE_MISMATCH - reserved for PKINIT (RFC 4556 §6)
67
KRB_AP_ERR_NO_TGT - no TGT supplied for user-to-user authentication (RFC 4120 §7.5.9)
68
KDC_ERR_WRONG_REALM - incorrect domain or principal
69
KRB_AP_ERR_USER_TO_USER_REQUIRED - server requires user-to-user authentication (RFC 4120 §7.5.9)
TimeSpent UInt32

Event ID 104: Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
ProtectedUserFailures-DomainController

Description

Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.

Message #

Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.

Account Information:
	Security ID: %2
	Account Name: %1

Service Information:
	Service Name: %3

Network Information:
	Client Address: %7
	Client Port: %8

Additional Information:
	Ticket Options: %4
	Failure Code: %5
	Pre-Authentication Type: %6

Certificate Information:
	Certificate Issuer Name: %9
	Certificate Serial Number: %10
	Certificate Thumbprint: %11

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetSid SID
ServiceName UnicodeString
TicketOptions HexInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
Status HexInt32NTSTATUS reference
PreAuthType UnicodeString
Known values
0
PA-NONE
2
PA-ENC-TIMESTAMP
11
PA-ETYPE-INFO
14
PA-PK-AS-REQ-OLD
15
PA-PK-AS-REQ
16
PA-PK-AS-REP
17
PA-ETYPE-INFO2
19
PA-ETYPE-INFO2
20
PA-SVR-REFERRAL-INFO
128
PA-SUPPORTED-ENCTYPES
129
PA-PAC-OPTIONS
165
PA-SPAKE
IpAddress UnicodeString
IpPort UnicodeString
CertIssuerName UnicodeString
CertSerialNumber UnicodeString
CertThumbprint UnicodeString

Event ID 104: Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetSid SID
ServiceName UnicodeString
TicketOptions HexInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
Status HexInt32NTSTATUS reference
PreAuthType UnicodeString
Known values
0
PA-NONE
2
PA-ENC-TIMESTAMP
11
PA-ETYPE-INFO
14
PA-PK-AS-REQ-OLD
15
PA-PK-AS-REQ
16
PA-PK-AS-REP
17
PA-ETYPE-INFO2
19
PA-ETYPE-INFO2
20
PA-SVR-REFERRAL-INFO
128
PA-SUPPORTED-ENCTYPES
129
PA-PAC-OPTIONS
165
PA-SPAKE
IpAddress UnicodeString
IpPort UnicodeString
CertIssuerName UnicodeString
CertSerialNumber UnicodeString
CertThumbprint UnicodeString

Event ID 105: A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
AuthenticationPolicyFailures-DomainController

Description

A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.

Message #

A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.

Account Information:
	Account Name: %1
	Supplied Realm Name: %2
	User ID: %3

Authentication Policy Information:
	Silo Name: %16
	Policy Name: %17
	TGT Lifetime: %18

Device Information:
	Device Name: %4

Service Information:
	Service Name: %5
	Service ID: %6

Network Information:
	Client Address: %11
	Client Port: %12

Additional Information:
	Ticket Options: %7
	Result Code: %8
	Ticket Encryption Type: %9
	Pre-Authentication Type: %10

Certificate Information:
	Certificate Issuer Name: %13
	Certificate Serial Number: %14
	Certificate Thumbprint: %15

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetDomainName UnicodeStringDomain or machine name of the target account.
TargetSid SID
DeviceName UnicodeString
ServiceName UnicodeString
ServiceSid SID
TicketOptions HexInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
Status HexInt32NTSTATUS reference
TicketEncryptionType HexInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
PreAuthType UnicodeString
Known values
0
PA-NONE
2
PA-ENC-TIMESTAMP
11
PA-ETYPE-INFO
14
PA-PK-AS-REQ-OLD
15
PA-PK-AS-REQ
16
PA-PK-AS-REP
17
PA-ETYPE-INFO2
19
PA-ETYPE-INFO2
20
PA-SVR-REFERRAL-INFO
128
PA-SUPPORTED-ENCTYPES
129
PA-PAC-OPTIONS
165
PA-SPAKE
IpAddress UnicodeString
IpPort UnicodeString
CertIssuerName UnicodeString
CertSerialNumber UnicodeString
CertThumbprint UnicodeString
SiloName UnicodeString
PolicyName UnicodeString
TGTLifetime UInt32

Event ID 105: A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetDomainName UnicodeStringDomain or machine name of the target account.
TargetSid SID
DeviceName UnicodeString
ServiceName UnicodeString
ServiceSid SID
TicketOptions HexInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
Status HexInt32NTSTATUS reference
TicketEncryptionType HexInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
PreAuthType UnicodeString
Known values
0
PA-NONE
2
PA-ENC-TIMESTAMP
11
PA-ETYPE-INFO
14
PA-PK-AS-REQ-OLD
15
PA-PK-AS-REQ
16
PA-PK-AS-REP
17
PA-ETYPE-INFO2
19
PA-ETYPE-INFO2
20
PA-SVR-REFERRAL-INFO
128
PA-SUPPORTED-ENCTYPES
129
PA-PAC-OPTIONS
165
PA-SPAKE
IpAddress UnicodeString
IpPort UnicodeString
CertIssuerName UnicodeString
CertSerialNumber UnicodeString
CertThumbprint UnicodeString
SiloName UnicodeString
PolicyName UnicodeString
TGTLifetime UInt32

Event ID 106: A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
AuthenticationPolicyFailures-DomainController

Description

A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.

Message #

A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.

Account Information:
	Account Name: %1
	Account Domain: %2
	Logon GUID: %11

Authentication Policy Information:
	Silo Name: %13
	Policy Name: %14

Device Information:
	Device Name: %3

Service Information:
	Service Name: %4
	Service ID: %5

Network Information:
	Client Address: %8
	Client Port: %9

Additional Information:
	Ticket Options: %6
	Ticket Encryption Type: %7
	Failure Code: %10
	Transited Services: %12

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetDomainName UnicodeStringDomain or machine name of the target account.
DeviceName UnicodeString
ServiceName UnicodeString
ServiceSid SID
TicketOptions HexInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
TicketEncryptionType HexInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
IpAddress UnicodeString
IpPort UnicodeString
Status HexInt32NTSTATUS reference
LogonGuid GUID
TransitedServices UnicodeString
SiloName UnicodeString
PolicyName UnicodeString

Event ID 106: A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetDomainName UnicodeStringDomain or machine name of the target account.
DeviceName UnicodeString
ServiceName UnicodeString
ServiceSid SID
TicketOptions HexInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
TicketEncryptionType HexInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
IpAddress UnicodeString
IpPort UnicodeString
Status HexInt32NTSTATUS reference
LogonGuid GUID
TransitedServices UnicodeString
SiloName UnicodeString
PolicyName UnicodeString

Event ID 120: The Key Distribution Center (KDC) failed to validate its current KDC certificate.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
KDC

Description

The Key Distribution Center (KDC) failed to validate its current KDC certificate. This KDC might not be enabled for smart card or certificate authentication.

Message #

The Key Distribution Center (KDC) failed to validate its current KDC certificate. This KDC might not be enabled for smart card or certificate authentication.

Kdc Certificate Information:
  Issuer Name: %1
  Serial Number: %2
  Thumbprint: %3
  Template: %4
  Kerberos Error: %5
  Validation Error: %6

Fields #

NameDescription
Issuer UnicodeString
SerialNumber UnicodeString
Thumbprint UnicodeString
Template UnicodeString
KerbErr UInt32
ErrorCode UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kerberos-Key-Distribution-Center",
    "event_id": 120,
    "level": "Error",
    "task": "KDC",
    "opcode": "Info",
    "time_created": "2026-05-24T20:29:18.8212381+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational"
  },
  "event_data": {
    "SerialNumber": "4A00000026B37CA59821F6C9F7000000000026",
    "Issuer": "EvtGen-Root-CA",
    "Thumbprint": "83875CFCBB86E1C80DB97B6881A03763C0ABEFF9",
    "KerbErr": "74",
    "ErrorCode": "2148081683",
    "Template": "Kerberos Authentication"
  }
}

Event ID 200: The Key Distribution Center (KDC) cannot find a suitable certificate to use.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Level
Warning
Task
KDC

Description

The Key Distribution Center (KDC) cannot find a suitable certificate to use. This KDC is not enabled for smart card or certificate authentication.

Message #

The Key Distribution Center (KDC) cannot find a suitable certificate to use. This KDC is not enabled for smart card or certificate authentication.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kerberos-Key-Distribution-Center",
    "guid": "3FD9DA1A-5A54-46C5-9A26-9BD7C0685056",
    "event_source_name": "",
    "event_id": 200,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T20:16:26.074299+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 7192
    },
    "channel": "Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 201: The Key Distribution Center (KDC) detected Cipher usage that will be unsupported in enforcement phase because service msds-SupportedEncryptionTypes is not defined and the client only supports insec...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
KDCExtendedAudit

Description

The Key Distribution Center (KDC) detected usage that will be unsupported because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types.

Fields #

NameDescription
AccountName UnicodeString
SuppliedRealm UnicodeString
AccountSET UnicodeString
AccountKeys UnicodeString
ServiceName UnicodeString
ServiceID SID
ServiceSET UnicodeString
ServiceKeys UnicodeString
DCSET UnicodeString
DDSET UnicodeString
DCKeys UnicodeString
IpAddress UnicodeString
Port UInt16
AdvertizedEtypes UnicodeString
Cipher UnicodeString

Event ID 201: The Key Distribution Center (KDC) detected Cipher usage that will be unsupported because service msds-SupportedEncryptionTypes is not defined and the ...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
System
Task
KDCExtendedAudit

Description

The Key Distribution Center (KDC) detected Cipher usage that will be unsupported because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types.

Message #

The Key Distribution Center (KDC) detected %15 usage that will be unsupported because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types. 

Account Information
	Account Name: %1 
	Supplied Realm Name: %2 
	msds-SupportedEncryptionTypes: %3 
	Available Keys: %4 
  
Service Information: 
	Service Name: %5 
	Service ID: %6 
	msds-SupportedEncryptionTypes: %7 
	Available Keys: %8 

Domain Controller Information: 
	msds-SupportedEncryptionTypes: %9 
	DefaultDomainSupportedEncTypes: %10 
	Available Keys: %11 

Network Information: 
	Client Address: %12 
	Client Port: %13 
	Advertized Etypes: %14 

See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.

Fields #

NameDescription
AccountName UnicodeString
SuppliedRealm UnicodeString
AccountSET UnicodeString
AccountKeys UnicodeString
ServiceName UnicodeString
ServiceID SID
ServiceSET UnicodeString
ServiceKeys UnicodeString
DCSET UnicodeString
DDSET UnicodeString
DCKeys UnicodeString
IpAddress UnicodeString
Port UInt16
AdvertizedEtypes UnicodeString
Cipher UnicodeString

Event ID 202: The Key Distribution Center (KDC) detected Cipher usage that will be unsupported in enforcement phase because the service msds-SupportedEncryptionTypes is not defined and the service account only h...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
KDCExtendedAudit

Description

The Key Distribution Center (KDC) detected usage that will be unsupported because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.

Fields #

NameDescription
AccountName UnicodeString
SuppliedRealm UnicodeString
AccountSET UnicodeString
AccountKeys UnicodeString
ServiceName UnicodeString
ServiceID SID
ServiceSET UnicodeString
ServiceKeys UnicodeString
DCSET UnicodeString
DDSET UnicodeString
DCKeys UnicodeString
IpAddress UnicodeString
Port UInt16
AdvertizedEtypes UnicodeString
Cipher UnicodeString

Event ID 202: The Key Distribution Center (KDC) detected Cipher usage that will be unsupported because the service msds-SupportedEncryptionTypes is not defined and ...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
System
Task
KDCExtendedAudit

Description

The Key Distribution Center (KDC) detected Cipher usage that will be unsupported because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.

Message #

The Key Distribution Center (KDC) detected %15 usage that will be unsupported because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.   

Account Information  
	Account Name: %1 
	Supplied Realm Name: %2 
	msds-SupportedEncryptionTypes: %3 
	Available Keys: %4 

Service Information:  
	Service Name: %5 
	Service ID: %6 
	msds-SupportedEncryptionTypes: %7 
	Available Keys: %8 

Domain Controller Information:  
	msds-SupportedEncryptionTypes: %9 
	DefaultDomainSupportedEncTypes: %10 
	Available Keys: %11 

Network Information:  
	Client Address: %12 
	Client Port: %13 
	Advertized Etypes: %14 

See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.

Fields #

NameDescription
AccountName UnicodeString
SuppliedRealm UnicodeString
AccountSET UnicodeString
AccountKeys UnicodeString
ServiceName UnicodeString
ServiceID SID
ServiceSET UnicodeString
ServiceKeys UnicodeString
DCSET UnicodeString
DDSET UnicodeString
DCKeys UnicodeString
IpAddress UnicodeString
Port UInt16
AdvertizedEtypes UnicodeString
Cipher UnicodeString

Event ID 203: The Key Distribution Center (KDC) blocked cipher usage because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
KDCExtendedAudit

Description

The Key Distribution Center (KDC) blocked cipher usage because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types.

Fields #

NameDescription
AccountName UnicodeString
SuppliedRealm UnicodeString
AccountSET UnicodeString
AccountKeys UnicodeString
ServiceName UnicodeString
ServiceID SID
ServiceSET UnicodeString
ServiceKeys UnicodeString
DCSET UnicodeString
DDSET UnicodeString
DCKeys UnicodeString
IpAddress UnicodeString
Port UInt16
AdvertizedEtypes UnicodeString

Event ID 203: The Key Distribution Center (KDC) blocked cipher usage because service msds-SupportedEncryptionTypes is not defined and the client only supports in...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
System
Task
KDCExtendedAudit

Description

The Key Distribution Center (KDC) blocked cipher usage because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types.

Message #

The Key Distribution Center (KDC) blocked cipher usage because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types. 

Account Information  
	Account Name: %1 
	Supplied Realm Name: %2 
	msds-SupportedEncryptionTypes: %3 
	Available Keys: %4 

Service Information:  
	Service Name: %5 
	Service ID: %6 
	msds-SupportedEncryptionTypes: %7 
	Available Keys: %8 

Domain Controller Information:  
	msds-SupportedEncryptionTypes: %9 
	DefaultDomainSupportedEncTypes: %10 
	Available Keys: %11 

Network Information:  
	Client Address: %12 
	Client Port: %13 
	Advertized Etypes: %14 

See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.

Fields #

NameDescription
AccountName UnicodeString
SuppliedRealm UnicodeString
AccountSET UnicodeString
AccountKeys UnicodeString
ServiceName UnicodeString
ServiceID SID
ServiceSET UnicodeString
ServiceKeys UnicodeString
DCSET UnicodeString
DDSET UnicodeString
DCKeys UnicodeString
IpAddress UnicodeString
Port UInt16
AdvertizedEtypes UnicodeString

Event ID 204: The Key Distribution Center (KDC) blocked cipher usage because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
KDCExtendedAudit

Description

The Key Distribution Center (KDC) blocked cipher usage because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.

Fields #

NameDescription
AccountName UnicodeString
SuppliedRealm UnicodeString
AccountSET UnicodeString
AccountKeys UnicodeString
ServiceName UnicodeString
ServiceID SID
ServiceSET UnicodeString
ServiceKeys UnicodeString
DCSET UnicodeString
DDSET UnicodeString
DCKeys UnicodeString
IpAddress UnicodeString
Port UInt16
AdvertizedEtypes UnicodeString

Event ID 204: The Key Distribution Center (KDC) blocked cipher usage because the service msds-SupportedEncryptionTypes is not defined and the service account onl...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
System
Task
KDCExtendedAudit

Description

The Key Distribution Center (KDC) blocked cipher usage because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.

Message #

The Key Distribution Center (KDC) blocked cipher usage because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.

Account Information
	Account Name: %1
	Supplied Realm Name: %2
	msds-SupportedEncryptionTypes: %3
	Available Keys: %4

Service Information:
	Service Name: %5
	Service ID: %6
	msds-SupportedEncryptionTypes: %7
	Available Keys: %8

Domain Controller Information:
	msds-SupportedEncryptionTypes: %9
	DefaultDomainSupportedEncTypes: %10
	Available Keys: %11

Network Information:
	Client Address: %12
	Client Port: %13
	Advertized Etypes: %14

See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.

Fields #

NameDescription
AccountName UnicodeString
SuppliedRealm UnicodeString
AccountSET UnicodeString
AccountKeys UnicodeString
ServiceName UnicodeString
ServiceID SID
ServiceSET UnicodeString
ServiceKeys UnicodeString
DCSET UnicodeString
DDSET UnicodeString
DCKeys UnicodeString
IpAddress UnicodeString
Port UInt16
AdvertizedEtypes UnicodeString

Event ID 205: The Key Distribution Center (KDC) detected explicit insecure cipher enablement in the Default Domain Supported Encryption Types policy configuration

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
KDCExtendedAudit

Description

The Key Distribution Center (KDC) detected explicit insecure cipher enablement in the Default Domain Supported Encryption Types policy configuration.

Fields #

NameDescription
CipherName UnicodeString
DDSET UnicodeString

Event ID 205: The Key Distribution Center (KDC) detected explicit insecure cipher enablement in the Default Domain Supported Encryption Types policy configuration.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
System
Task
KDCExtendedAudit

Description

The Key Distribution Center (KDC) detected explicit insecure cipher enablement in the Default Domain Supported Encryption Types policy configuration.

Message #

The Key Distribution Center (KDC) detected explicit insecure cipher enablement in the Default Domain Supported Encryption Types policy configuration.

Cipher(s): %1
DefaultDomainSupportedEncTypes: %2

See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.

Fields #

NameDescription
CipherName UnicodeString
DDSET UnicodeString

Event ID 206: The Key Distribution Center (KDC) detected Cipher usage that will be unsupported in enforcement phase because service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the cl...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
AuthenticationPolicyFailures-DomainController
Task
CATEGORY_EXTENDED_AUDIT

Description

The Key Distribution Center (KDC) detected Cipher usage that will be unsupported in enforcement phase because service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the client does not advertize AES-SHA1.

Message #

The Key Distribution Center (KDC) detected %15 usage that will be unsupported in enforcement phase because service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the client does not advertize AES-SHA1. ____Account Information___Account Name: %1 ___Supplied Realm Name: %2 ___msds-SupportedEncryptionTypes: %3 ___Available Keys: %4 __  __Service Information: ___Service Name: %5 ___Service ID: %6 ___msds-SupportedEncryptionTypes: %7 ___Available Keys: %8 ____Domain Controller Information: ___msds-SupportedEncryptionTypes: %9 ___DefaultDomainSupportedEncTypes: %10 ___Available Keys: %11 ____Network Information: ___Client Address: %12 ___Client Port: %13 ___Advertized Etypes: %14 ____See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.

Fields #

NameDescription
AccountName UnicodeString
SuppliedRealm UnicodeString
AccountSET UnicodeString
AccountKeys UnicodeString
ServiceName UnicodeString
ServiceID SID
ServiceSET UnicodeString
ServiceKeys UnicodeString
DCSET UnicodeString
DDSET UnicodeString
DCKeys UnicodeString
IpAddress UnicodeString
Port UInt16
AdvertizedEtypes UnicodeString
Cipher UnicodeString

Event ID 207: The Key Distribution Center (KDC) detected Cipher usage that will be unsupported in enforcement phase because the service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but th...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
CATEGORY_EXTENDED_AUDIT

Description

The Key Distribution Center (KDC) detected Cipher usage that will be unsupported in enforcement phase because the service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the service account does not have AES-SHA1 keys.

Message #

The Key Distribution Center (KDC) detected %15 usage that will be unsupported in enforcement phase because the service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the service account does not have AES-SHA1 keys.   ____Account Information  ___Account Name: %1 ___Supplied Realm Name: %2 ___msds-SupportedEncryptionTypes: %3 ___Available Keys: %4 ____Service Information:  ___Service Name: %5 ___Service ID: %6 ___msds-SupportedEncryptionTypes: %7 ___Available Keys: %8 ____Domain Controller Information:  ___msds-SupportedEncryptionTypes: %9 ___DefaultDomainSupportedEncTypes: %10 ___Available Keys: %11 ____Network Information:  ___Client Address: %12 ___Client Port: %13 ___Advertized Etypes: %14 ____See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.

Fields #

NameDescription
AccountName UnicodeString
SuppliedRealm UnicodeString
AccountSET UnicodeString
AccountKeys UnicodeString
ServiceName UnicodeString
ServiceID SID
ServiceSET UnicodeString
ServiceKeys UnicodeString
DCSET UnicodeString
DDSET UnicodeString
DCKeys UnicodeString
IpAddress UnicodeString
Port UInt16
AdvertizedEtypes UnicodeString
Cipher UnicodeString

Event ID 208: The Key Distribution Center (KDC) blocked cipher usage because service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the client does not advertize AES-SHA1

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
CATEGORY_EXTENDED_AUDIT

Description

The Key Distribution Center (KDC) blocked cipher usage because service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the client does not advertize AES-SHA1.

Message #

The Key Distribution Center (KDC) blocked cipher usage because service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the client does not advertize AES-SHA1. ____Account Information  ___Account Name: %1 ___Supplied Realm Name: %2 ___msds-SupportedEncryptionTypes: %3 ___Available Keys: %4 ____Service Information:  ___Service Name: %5 ___Service ID: %6 ___msds-SupportedEncryptionTypes: %7 ___Available Keys: %8 ____Domain Controller Information:  ___msds-SupportedEncryptionTypes: %9 ___DefaultDomainSupportedEncTypes: %10 ___Available Keys: %11 ____Network Information:  ___Client Address: %12 ___Client Port: %13 ___Advertized Etypes: %14 ____See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.

Fields #

NameDescription
AccountName UnicodeString
SuppliedRealm UnicodeString
AccountSET UnicodeString
AccountKeys UnicodeString
ServiceName UnicodeString
ServiceID SID
ServiceSET UnicodeString
ServiceKeys UnicodeString
DCSET UnicodeString
DDSET UnicodeString
DCKeys UnicodeString
IpAddress UnicodeString
Port UInt16
AdvertizedEtypes UnicodeString

Event ID 209: The Key Distribution Center (KDC) blocked cipher usage because the service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the service account does not have AES-SHA1 keys

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
CATEGORY_EXTENDED_AUDIT

Description

The Key Distribution Center (KDC) blocked cipher usage because the service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the service account does not have AES-SHA1 keys.

Message #

The Key Distribution Center (KDC) blocked cipher usage because the service msds-SupportedEncryptionTypes is configured to only support AES-SHA1 but the service account does not have AES-SHA1 keys. ____Account Information___Account Name: %1___Supplied Realm Name: %2___msds-SupportedEncryptionTypes: %3___Available Keys: %4____Service Information:___Service Name: %5___Service ID: %6___msds-SupportedEncryptionTypes: %7___Available Keys: %8____Domain Controller Information:___msds-SupportedEncryptionTypes: %9___DefaultDomainSupportedEncTypes: %10___Available Keys: %11____Network Information:___Client Address: %12___Client Port: %13___Advertized Etypes: %14____See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.

Fields #

NameDescription
AccountName UnicodeString
SuppliedRealm UnicodeString
AccountSET UnicodeString
AccountKeys UnicodeString
ServiceName UnicodeString
ServiceID SID
ServiceSET UnicodeString
ServiceKeys UnicodeString
DCSET UnicodeString
DDSET UnicodeString
DCKeys UnicodeString
IpAddress UnicodeString
Port UInt16
AdvertizedEtypes UnicodeString

Event ID 300: The Key Distribution Center (KDC) is being started.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Level
Informational
Task
KDC

Description

The Key Distribution Center (KDC) is being started.

Message #

The Key Distribution Center (KDC) is being started.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kerberos-Key-Distribution-Center",
    "guid": "3FD9DA1A-5A54-46C5-9A26-9BD7C0685056",
    "event_source_name": "",
    "event_id": 300,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T21:48:07.889406+00:00",
    "event_record_id": 21,
    "correlation": {},
    "execution": {
      "process_id": 936,
      "thread_id": 2856
    },
    "channel": "Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 301: The Key Distribution Center (KDC) has stopped with error code: ErrorCode.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
KDC

Description

The Key Distribution Center (KDC) has stopped with error code: ErrorCode.

Message #

The Key Distribution Center (KDC) has stopped with error code: %1

Fields #

NameDescription
ErrorCode UInt32

Event ID 302: The Key Distribution Center (KDC) uses the below KDC certificate for smart card or certificate authentication.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Level
Informational
Task
KDC

Description

The Key Distribution Center (KDC) uses the below KDC certificate for smart card or certificate authentication.

Message #

The Key Distribution Center (KDC) uses the below KDC certificate for smart card or certificate authentication.

Kdc Certificate Information:
  Issuer Name: %1
  Serial Number: %2
  Thumbprint: %3
  Template: %4

Fields #

NameDescription
Issuer UnicodeString
SerialNumber UnicodeString
Thumbprint UnicodeString
Template UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kerberos-Key-Distribution-Center",
    "guid": "3FD9DA1A-5A54-46C5-9A26-9BD7C0685056",
    "event_source_name": "",
    "event_id": 302,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T20:17:39.777902+00:00",
    "event_record_id": 15,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 9364
    },
    "channel": "Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Issuer": "EvtGen-Root-CA",
    "SerialNumber": "4A000000035FD5C8BB1377E3DC000000000003",
    "Thumbprint": "DB0FEA9B641F3814FC5168AE83EF7839AF1BB012",
    "Template": "DomainController"
  },
  "message": ""
}

Event ID 303: A Kerberos ticket-granting-ticket (TGT) was issued for a member of the Protected User group.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
ProtectedUserSuccesses-DomainController

Description

A Kerberos ticket-granting-ticket (TGT) was issued for a member of the Protected User group.

Message #

A Kerberos ticket-granting-ticket (TGT) was issued for a member of the Protected User group.

Account Information:
	Account Name: %1
	Supplied Realm Name: %2
	User ID: %3

Authentication Policy Information:
	Silo Name: %16
	Policy Name: %17
	TGT Lifetime: %18

Device Information:
	Device Name: %4

Service Information:
	Service Name: %5
	Service ID: %6

Network Information:
	Client Address: %11
	Client Port: %12

Additional Information:
	Ticket Options: %7
	Result Code: %8
	Ticket Encryption Type: %9
	Pre-Authentication Type: %10

Certificate Information:
	Certificate Issuer Name: %13
	Certificate Serial Number: %14
	Certificate Thumbprint: %15

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetDomainName UnicodeStringDomain or machine name of the target account.
TargetSid SID
DeviceName UnicodeString
ServiceName UnicodeString
ServiceSid SID
TicketOptions HexInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
Status HexInt32NTSTATUS reference
TicketEncryptionType HexInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
PreAuthType UnicodeString
Known values
0
PA-NONE
2
PA-ENC-TIMESTAMP
11
PA-ETYPE-INFO
14
PA-PK-AS-REQ-OLD
15
PA-PK-AS-REQ
16
PA-PK-AS-REP
17
PA-ETYPE-INFO2
19
PA-ETYPE-INFO2
20
PA-SVR-REFERRAL-INFO
128
PA-SUPPORTED-ENCTYPES
129
PA-PAC-OPTIONS
165
PA-SPAKE
IpAddress UnicodeString
IpPort UnicodeString
CertIssuerName UnicodeString
CertSerialNumber UnicodeString
CertThumbprint UnicodeString
SiloName UnicodeString
PolicyName UnicodeString
TGTLifetime UInt32

Event ID 303: A Kerberos ticket-granting-ticket (TGT) was issued for a member of the Protected User group

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

A Kerberos ticket-granting-ticket (TGT) was issued for a member of the Protected User group.

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetDomainName UnicodeStringDomain or machine name of the target account.
TargetSid SID
DeviceName UnicodeString
ServiceName UnicodeString
ServiceSid SID
TicketOptions HexInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
Status HexInt32NTSTATUS reference
TicketEncryptionType HexInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
PreAuthType UnicodeString
Known values
0
PA-NONE
2
PA-ENC-TIMESTAMP
11
PA-ETYPE-INFO
14
PA-PK-AS-REQ-OLD
15
PA-PK-AS-REQ
16
PA-PK-AS-REP
17
PA-ETYPE-INFO2
19
PA-ETYPE-INFO2
20
PA-SVR-REFERRAL-INFO
128
PA-SUPPORTED-ENCTYPES
129
PA-PAC-OPTIONS
165
PA-SPAKE
IpAddress UnicodeString
IpPort UnicodeString
CertIssuerName UnicodeString
CertSerialNumber UnicodeString
CertThumbprint UnicodeString
SiloName UnicodeString
PolicyName UnicodeString
TGTLifetime UInt32

Event ID 304: A Kerberos service ticket was issued for a member of the Protected User group.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
ProtectedUserSuccesses-DomainController

Description

A Kerberos service ticket was issued for a member of the Protected User group.

Message #

A Kerberos service ticket was issued for a member of the Protected User group.

Account Information:
	Account Name: %1
	Account Domain: %2
	Logon GUID: %11

Authentication Policy Information:
	Silo Name: %13
	Policy Name: %14

Device Information:
	Device Name: %3

Service Information:
	Service Name: %4
	Service ID: %5

Network Information:
	Client Address: %8
	Client Port: %9

Additional Information:
	Ticket Options: %6
	Ticket Encryption Type: %7
	Failure Code: %10
	Transited Services: %12

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetDomainName UnicodeStringDomain or machine name of the target account.
DeviceName UnicodeString
ServiceName UnicodeString
ServiceSid SID
TicketOptions HexInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
TicketEncryptionType HexInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
IpAddress UnicodeString
IpPort UnicodeString
Status HexInt32NTSTATUS reference
LogonGuid GUID
TransitedServices UnicodeString
SiloName UnicodeString
PolicyName UnicodeString

Event ID 304: A Kerberos service ticket was issued for a member of the Protected User group

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

A Kerberos service ticket was issued for a member of the Protected User group.

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetDomainName UnicodeStringDomain or machine name of the target account.
DeviceName UnicodeString
ServiceName UnicodeString
ServiceSid SID
TicketOptions HexInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
TicketEncryptionType HexInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
IpAddress UnicodeString
IpPort UnicodeString
Status HexInt32NTSTATUS reference
LogonGuid GUID
TransitedServices UnicodeString
SiloName UnicodeString
PolicyName UnicodeString

Event ID 305: A Kerberos ticket-granting-ticket (TGT) was issued, but it will be denied when Authentication Policy is enforced because the device does not meet t...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
AuthenticationPolicyFailures-DomainController

Description

A Kerberos ticket-granting-ticket (TGT) was issued, but it will be denied when Authentication Policy is enforced because the device does not meet the access control restrictions.

Message #

A Kerberos ticket-granting-ticket (TGT) was issued, but it will be denied when Authentication Policy is enforced because the device does not meet the access control restrictions.

Account Information:
	Account Name: %1
	Supplied Realm Name: %2
	User ID: %3

Authentication Policy Information:
	Silo Name: %16
	Policy Name: %17
	TGT Lifetime: %18

Device Information:
	Device Name: %4

Service Information:
	Service Name: %5
	Service ID: %6

Network Information:
	Client Address: %11
	Client Port: %12

Additional Information:
	Ticket Options: %7
	Result Code: %8
	Ticket Encryption Type: %9
	Pre-Authentication Type: %10

Certificate Information:
	Certificate Issuer Name: %13
	Certificate Serial Number: %14
	Certificate Thumbprint: %15

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetDomainName UnicodeStringDomain or machine name of the target account.
TargetSid SID
DeviceName UnicodeString
ServiceName UnicodeString
ServiceSid SID
TicketOptions HexInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
Status HexInt32NTSTATUS reference
TicketEncryptionType HexInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
PreAuthType UnicodeString
Known values
0
PA-NONE
2
PA-ENC-TIMESTAMP
11
PA-ETYPE-INFO
14
PA-PK-AS-REQ-OLD
15
PA-PK-AS-REQ
16
PA-PK-AS-REP
17
PA-ETYPE-INFO2
19
PA-ETYPE-INFO2
20
PA-SVR-REFERRAL-INFO
128
PA-SUPPORTED-ENCTYPES
129
PA-PAC-OPTIONS
165
PA-SPAKE
IpAddress UnicodeString
IpPort UnicodeString
CertIssuerName UnicodeString
CertSerialNumber UnicodeString
CertThumbprint UnicodeString
SiloName UnicodeString
PolicyName UnicodeString
TGTLifetime UInt32

References #

Event ID 305: A Kerberos ticket-granting-ticket (TGT) was issued, but it will be denied when Authentication Policy is enforced because the device does not meet the access control restrictions

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

A Kerberos ticket-granting-ticket (TGT) was issued, but it will be denied when Authentication Policy is enforced because the device does not meet the access control restrictions.

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetDomainName UnicodeStringDomain or machine name of the target account.
TargetSid SID
DeviceName UnicodeString
ServiceName UnicodeString
ServiceSid SID
TicketOptions HexInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
Status HexInt32NTSTATUS reference
TicketEncryptionType HexInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
PreAuthType UnicodeString
Known values
0
PA-NONE
2
PA-ENC-TIMESTAMP
11
PA-ETYPE-INFO
14
PA-PK-AS-REQ-OLD
15
PA-PK-AS-REQ
16
PA-PK-AS-REP
17
PA-ETYPE-INFO2
19
PA-ETYPE-INFO2
20
PA-SVR-REFERRAL-INFO
128
PA-SUPPORTED-ENCTYPES
129
PA-PAC-OPTIONS
165
PA-SPAKE
IpAddress UnicodeString
IpPort UnicodeString
CertIssuerName UnicodeString
CertSerialNumber UnicodeString
CertThumbprint UnicodeString
SiloName UnicodeString
PolicyName UnicodeString
TGTLifetime UInt32

Event ID 306: A Kerberos service ticket was issued, but it will be denied when Authentication Policy is enforced for a member of the Protected User group because...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
AuthenticationPolicyFailures-DomainController

Description

A Kerberos service ticket was issued, but it will be denied when Authentication Policy is enforced for a member of the Protected User group because the user, device, or both does not meet the access control restrictions. Account Information: Account Name: TargetUserName Account Domain: TargetDomainName Logon GUID: LogonGuid Authentication Policy Information: Silo Name: SiloName Policy Name: PolicyName Device Information: Device Name: DeviceName Service Information: Service Name: ServiceName Service ID: ServiceSid Network Information: Client Address: IpAddress Client Port: IpPort Additional Information: Ticket Options: TicketOptions Ticket Encryption Type: TicketEncryptionType Failure Code: Status Transited Services: TransitedServices This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.

Message #

A Kerberos service ticket was issued, but it will be denied when Authentication Policy is enforced for a member of the Protected User group because the user, device, or both does not meet the access control restrictions.

Account Information:
	Account Name: %1
	Account Domain: %2
	Logon GUID: %11

Authentication Policy Information:
	Silo Name: %13
	Policy Name: %14

Device Information:
	Device Name: %3

Service Information:
	Service Name: %4
	Service ID: %5

Network Information:
	Client Address: %8
	Client Port: %9

Additional Information:
	Ticket Options: %6
	Ticket Encryption Type: %7
	Failure Code: %10
	Transited Services: %12

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetDomainName UnicodeStringDomain or machine name of the target account.
DeviceName UnicodeString
ServiceName UnicodeString
ServiceSid SID
TicketOptions HexInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
TicketEncryptionType HexInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
IpAddress UnicodeString
IpPort UnicodeString
Status HexInt32NTSTATUS reference
LogonGuid GUID
TransitedServices UnicodeString
SiloName UnicodeString
PolicyName UnicodeString

References #

Event ID 306: A Kerberos service ticket was issued, but it will be denied when Authentication Policy is enforced for a member of the Protected User group because the user, device, or both does not meet the acces...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetDomainName UnicodeStringDomain or machine name of the target account.
DeviceName UnicodeString
ServiceName UnicodeString
ServiceSid SID
TicketOptions HexInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
TicketEncryptionType HexInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
IpAddress UnicodeString
IpPort UnicodeString
Status HexInt32NTSTATUS reference
LogonGuid GUID
TransitedServices UnicodeString
SiloName UnicodeString
PolicyName UnicodeString

Event ID 307: The Key Distribution Center (KDC) used the PKINIT protocol with encryption mode for the client ClientName.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Key Distribution Center (KDC) used the PKINIT protocol with encryption mode for the client ClientName.

Message #

The Key Distribution Center (KDC) used the PKINIT protocol with encryption mode for the client %1.

Fields #

NameDescription
ClientName UnicodeString

Event ID 308: The Key Distribution Center (KDC) is unable to use the PKINIT protocol because the client ClientName requested encryption mode and the KDC does not support...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Key Distribution Center (KDC) is unable to use the PKINIT protocol because the client ClientName requested encryption mode and the KDC does not support it.

Message #

The Key Distribution Center (KDC) is unable to use the PKINIT protocol because the client %1 requested encryption mode and the KDC does not support it.

Fields #

NameDescription
ClientName UnicodeString

Event ID 309: The kerberos client used a hash algorithm for the PKINIT protocol that is being audited: Algorithm.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The kerberos client used a hash algorithm for the PKINIT protocol that is being audited: Algorithm.

Message #

The kerberos client used a hash algorithm for the PKINIT protocol that is being audited: %1.

Fields #

NameDescription
Algorithm UnicodeString

Event ID 310: The kerberos client used a hash algorithm for the PKINIT protocol that is not suppported: Algorithm.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The kerberos client used a hash algorithm for the PKINIT protocol that is not suppported: Algorithm.

Message #

The kerberos client used a hash algorithm for the PKINIT protocol that is not suppported: %1.

Fields #

NameDescription
Algorithm UnicodeString

Event ID 311: The Kerberos client did not supply a supported encryption type for use with the PKINIT protocol using encryption mode.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Kerberos client did not supply a supported encryption type for use with the PKINIT protocol using encryption mode.

Message #

The Kerberos client did not supply a supported encryption type for use with the PKINIT protocol using encryption mode.
 Client Principal Name: %1
 Client IP Address: %2
 Client Supplied NetBIOS Name: %3

Fields #

NameDescription
ClientName UnicodeString
IPAddress UnicodeString
ClientNetBIOSName UnicodeString

Event ID 312: The Key Distribution Center (KDC) has an invalid hash algorithm configuration for PKINIT.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Key Distribution Center (KDC) has an invalid hash algorithm configuration for PKINIT. This might result in PKINIT failures.

Message #

The Key Distribution Center (KDC) has an invalid hash algorithm configuration for PKINIT. This might result in PKINIT failures.

Event ID 313: The Key Distribution Center (KDC) encountered invalid certificate strong name match policy.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Key Distribution Center (KDC) encountered invalid certificate strong name match policy.

Message #

The Key Distribution Center (KDC) encountered invalid certificate strong name match policy.

 Faulting line: %1

Fields #

NameDescription
EntryNumber UInt32

Event ID 314: An unauthorized Kerberos client attempted to fetch DMSA keys.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

An unauthorized Kerberos client attempted to fetch DMSA keys.

Message #

An unauthorized Kerberos client attempted to fetch DMSA keys.

Error code: %1
Machine: %2
DMSA: %3
Migration State: %4

Fields #

NameDescription
KerbErr HexInt32
Machine UnicodeString
DMSA UnicodeString
MigrationState UInt32

Event ID 315: A Kerberos client attempted to fetch DMSA keys.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

A Kerberos client attempted to fetch DMSA keys.

Message #

A Kerberos client attempted to fetch DMSA keys.

DMSA: %1
Machine: %2
Error Code: %3

Fields #

NameDescription
DMSA UnicodeString
Machine UnicodeString
KerbErr HexInt32

Event ID 400: A Kerberos authentication ticket (TGT) was requested.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
KDCExtendedAudit

Description

A Kerberos authentication ticket (TGT) was requested.

Message #

A Kerberos authentication ticket (TGT) was requested.

Account Information:
	Account Name: %1
	Supplied Realm Name: %2
	User ID: %3

Service Information:
	Service Name: %4
	Service ID: %5

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetDomainName UnicodeStringDomain or machine name of the target account.
TargetSid SID
ServiceName UnicodeString
ServiceSid SID
TicketOptions UInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
Status UInt32NTSTATUS reference
TicketEncryptionType UInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
PreAuthType UInt32
Known values
0
PA-NONE
2
PA-ENC-TIMESTAMP
11
PA-ETYPE-INFO
14
PA-PK-AS-REQ-OLD
15
PA-PK-AS-REQ
16
PA-PK-AS-REP
17
PA-ETYPE-INFO2
19
PA-ETYPE-INFO2
20
PA-SVR-REFERRAL-INFO
128
PA-SUPPORTED-ENCTYPES
129
PA-PAC-OPTIONS
165
PA-SPAKE
IpAddressLength UInt32
IpAddress Binary
CertIssuerName UnicodeString
CertSerialNumber UnicodeString
CertThumbprint UnicodeString
ResponseTicket UnicodeString
ClientNetbiosName UnicodeString
ResponseExtendedNtStatusCode UInt32
ResponseTicketLength UInt32
ResponseTicketStartTime FILETIME
ResponseTicketEndTime FILETIME
RequestSupportedEncryptionTypes UnicodeString
RequestFullServiceName UnicodeString
RequestFullServiceNameType UInt32
Known values
0
NT-UNKNOWN - name type not known
1
NT-PRINCIPAL - principal name (user)
2
NT-SRV-INST - service and unique instance (e.g. krbtgt)
3
NT-SRV-HST - service with host name as instance
4
NT-SRV-XHST - service with host as remaining components
5
NT-UID - unique ID
6
NT-X500-PRINCIPAL - encoded X.509 Distinguished Name
7
NT-SMTP-NAME - SMTP email name form
10
NT-ENTERPRISE - enterprise name; may be mapped to principal
11
NT-WELLKNOWN - well-known principal (RFC 6111)
RequestClientName UnicodeString
RequestClientNameType UInt32
Known values
0
NT-UNKNOWN - name type not known
1
NT-PRINCIPAL - principal name (user)
2
NT-SRV-INST - service and unique instance (e.g. krbtgt)
3
NT-SRV-HST - service with host name as instance
4
NT-SRV-XHST - service with host as remaining components
5
NT-UID - unique ID
6
NT-X500-PRINCIPAL - encoded X.509 Distinguished Name
7
NT-SMTP-NAME - SMTP email name form
10
NT-ENTERPRISE - enterprise name; may be mapped to principal
11
NT-WELLKNOWN - well-known principal (RFC 6111)
RequestRealm UnicodeString
ResponseTicketFullServiceName UnicodeString
ResponseTicketFullServiceNameType UInt32
Known values
0
NT-UNKNOWN - name type not known
1
NT-PRINCIPAL - principal name (user)
2
NT-SRV-INST - service and unique instance (e.g. krbtgt)
3
NT-SRV-HST - service with host name as instance
4
NT-SRV-XHST - service with host as remaining components
5
NT-UID - unique ID
6
NT-X500-PRINCIPAL - encoded X.509 Distinguished Name
7
NT-SMTP-NAME - SMTP email name form
10
NT-ENTERPRISE - enterprise name; may be mapped to principal
11
NT-WELLKNOWN - well-known principal (RFC 6111)
ResponseTicketRealm UnicodeString
ResponseTicketKeyVersion UInt32
ResponseEncryptedDataEncryptionType UInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
ArmorKeyEncryptionType UInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
ClientPreAuthEncryptionType UInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
PacRequestType UInt32
CertNotBefore FILETIME
CertNotAfter FILETIME
CertSubjectName UnicodeString
PreAuthNonce UInt32
LogonStatus UInt32
PreAuthSupportedEncryptionTypes UnicodeString
ClientCertificateContextLength UInt32
ClientCertificateContext Binary
UsedOldPassword Boolean
UserObjectGuid GUID

Event ID 401: A Kerberos service ticket was requested.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational
Task
KDCExtendedAudit

Description

A Kerberos service ticket was requested.

Message #

A Kerberos service ticket was requested.

Account Information:
	Account Name: %1
	Account Domain: %2
	Logon GUID: %10

Service Information:
	Service Name: %3
	Service ID: %4

Fields #

NameDescription
TargetUserName UnicodeStringAccount name of the target.
TargetDomainName UnicodeStringDomain or machine name of the target account.
ServiceName UnicodeString
ServiceSid SID
TicketOptions UInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
Allow-postdate
0x02000000
Postdated
0x01000000
Invalid (RFC 4120 §5.4.1 KDCOptions bit 7; KDC-issued ticket has been invalidated and must be re-acquired)
0x00800000
Renewable (RFC 4120 §5.4.1 KDCOptions bit 8; ticket carries the renewable flag and may be renewed until its renew-till time)
0x00400000
Initial (RFC 4120 §5.4.1 KDCOptions bit 9; ticket was issued using the AS exchange rather than the TGS exchange)
0x00200000
Pre-authent (RFC 4120 §5.4.1 KDCOptions bit 10; KDC verified client pre-authentication before issuing the ticket)
0x00100000
Opt-hardware-auth (RFC 4120 §5.4.1 KDCOptions bit 11; hardware-token pre-authentication was requested)
0x00010000
Name-canonicalize (RFC 6806 Kerberos Principal Name Canonicalization; KDCOptions bit 15)
0x00000010
Renewable-ok
0x00000008
Enc-tkt-in-skey
0x00000002
Renew
0x00000001
Validate
TicketEncryptionType UInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
IpAddressLength UInt32
IpAddress Binary
Status UInt32NTSTATUS reference
LogonGuid GUID
TransmittedServices UnicodeString
RequestTicketHash UnicodeString
ResponseTicketHash UnicodeString
ClientNetbiosName UnicodeString
ResponseExtendedNtStatusCode UInt32
PacOptions UInt32
Bitmask flags
0x80000000
Claims - request Claims authorization data in the PAC
0x40000000
Branch Aware - indicate branch-aware processing capability
0x20000000
Forward to Full DC - request forwarding to a full domain controller
RequestTicketLength UInt32
ResponseTicketLength UInt32
RequestTicketAuthTime FILETIME
RequestTicketFlags UInt32
Bitmask flags
0x40000000
Forwardable
0x20000000
Forwarded
0x10000000
Proxiable
0x08000000
Proxy
0x04000000
May-postdate
0x02000000
Postdated
0x01000000
Invalid
0x00800000
Renewable
0x00400000
Initial
0x00200000
Pre-authent
0x00100000
Hw-authent
0x00080000
Transited-policy-checked
0x00040000
Ok-as-delegate
RequestTicketRenewUntil FILETIME
RequestTicketStartTime FILETIME
RequestTicketEndTime FILETIME
ResponseTicketStartTime FILETIME
ResponseTicketEndTime FILETIME
RequestSupportedEncryptionTypes UnicodeString
RequestAuthDataEncryptionType UInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
RequestAuthDataLength UInt32
RequestNonce UInt32
RequestFullServiceName UnicodeString
RequestFullServiceNameType UInt32
Known values
0
NT-UNKNOWN - name type not known
1
NT-PRINCIPAL - principal name (user)
2
NT-SRV-INST - service and unique instance (e.g. krbtgt)
3
NT-SRV-HST - service with host name as instance
4
NT-SRV-XHST - service with host as remaining components
5
NT-UID - unique ID
6
NT-X500-PRINCIPAL - encoded X.509 Distinguished Name
7
NT-SMTP-NAME - SMTP email name form
10
NT-ENTERPRISE - enterprise name; may be mapped to principal
11
NT-WELLKNOWN - well-known principal (RFC 6111)
RequestRealm UnicodeString
RequestTicketFullServiceName UnicodeString
RequestTicketFullServiceNameType UInt32
Known values
0
NT-UNKNOWN - name type not known
1
NT-PRINCIPAL - principal name (user)
2
NT-SRV-INST - service and unique instance (e.g. krbtgt)
3
NT-SRV-HST - service with host name as instance
4
NT-SRV-XHST - service with host as remaining components
5
NT-UID - unique ID
6
NT-X500-PRINCIPAL - encoded X.509 Distinguished Name
7
NT-SMTP-NAME - SMTP email name form
10
NT-ENTERPRISE - enterprise name; may be mapped to principal
11
NT-WELLKNOWN - well-known principal (RFC 6111)
RequestTicketRealm UnicodeString
RequestTicketClientName UnicodeString
RequestTicketClientNameType UInt32
Known values
0
NT-UNKNOWN - name type not known
1
NT-PRINCIPAL - principal name (user)
2
NT-SRV-INST - service and unique instance (e.g. krbtgt)
3
NT-SRV-HST - service with host name as instance
4
NT-SRV-XHST - service with host as remaining components
5
NT-UID - unique ID
6
NT-X500-PRINCIPAL - encoded X.509 Distinguished Name
7
NT-SMTP-NAME - SMTP email name form
10
NT-ENTERPRISE - enterprise name; may be mapped to principal
11
NT-WELLKNOWN - well-known principal (RFC 6111)
RequestTicketClientRealm UnicodeString
ResponseTicketFullServiceName UnicodeString
ResponseTicketFullServiceNameType UInt32
Known values
0
NT-UNKNOWN - name type not known
1
NT-PRINCIPAL - principal name (user)
2
NT-SRV-INST - service and unique instance (e.g. krbtgt)
3
NT-SRV-HST - service with host name as instance
4
NT-SRV-XHST - service with host as remaining components
5
NT-UID - unique ID
6
NT-X500-PRINCIPAL - encoded X.509 Distinguished Name
7
NT-SMTP-NAME - SMTP email name form
10
NT-ENTERPRISE - enterprise name; may be mapped to principal
11
NT-WELLKNOWN - well-known principal (RFC 6111)
ResponseTicketRealm UnicodeString
RequestTicketKeyVersion UInt32
ResponseTicketKeyVersion UInt32
RequestTicketEncryptionType UInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
ArmorKeyEncryptionType UInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
U2UTgtAccountName UnicodeString
U2UTgtCRealm UnicodeString
U2UTgtCName UnicodeString
U2UTicketLength UInt32
U2UTicketEncryptionType UInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
U2UTicketHash UnicodeString
U2UTicketKeyVersion UInt32
U2UTicketFullServiceName UnicodeString
U2UTicketFullServiceNameType UInt32
Known values
0
NT-UNKNOWN - name type not known
1
NT-PRINCIPAL - principal name (user)
2
NT-SRV-INST - service and unique instance (e.g. krbtgt)
3
NT-SRV-HST - service with host name as instance
4
NT-SRV-XHST - service with host as remaining components
5
NT-UID - unique ID
6
NT-X500-PRINCIPAL - encoded X.509 Distinguished Name
7
NT-SMTP-NAME - SMTP email name form
10
NT-ENTERPRISE - enterprise name; may be mapped to principal
11
NT-WELLKNOWN - well-known principal (RFC 6111)
S4UAccountName UnicodeString
S4UPACClientName UnicodeString
S4UPACClientRealm UnicodeString
S4UTargetName UnicodeString
S4UNonce UInt32
S4URequestorSid SID
S4UAdditionalTicketKeyVersion UInt32
S4URequestorServiceName UnicodeString
S4URequestorServiceRealm UnicodeString
S4UAdditionalTicketLength UInt32
S4UAdditionalTicketEncryptionType UInt32
Known values
0x1
DES-CBC-CRC
0x3
DES-CBC-MD5
0x11
AES128-CTS-HMAC-SHA1-96
0x12
AES256-CTS-HMAC-SHA1-96
0x17
RC4-HMAC
0x18
RC4-HMAC-EXP
0xffffffff
Unspecified
S4UAdditionalTicketHash UnicodeString
S4UAdditionalTicketFullServiceName UnicodeString
S4UAdditionalTicketFullServiceNameType UInt32
Known values
0
NT-UNKNOWN - name type not known
1
NT-PRINCIPAL - principal name (user)
2
NT-SRV-INST - service and unique instance (e.g. krbtgt)
3
NT-SRV-HST - service with host name as instance
4
NT-SRV-XHST - service with host as remaining components
5
NT-UID - unique ID
6
NT-X500-PRINCIPAL - encoded X.509 Distinguished Name
7
NT-SMTP-NAME - SMTP email name form
10
NT-ENTERPRISE - enterprise name; may be mapped to principal
11
NT-WELLKNOWN - well-known principal (RFC 6111)
ServiceObjectGuid GUID
RequestTicketPacLogonInfoLength UInt32
RequestTicketPacLogonInfo Binary
RequestTicketPacUpnDnsInfoLength UInt32
RequestTicketPacUpnDnsInfo Binary
RequestTicketPacRequestorSid SID
RequestTicketPacLogonServer UnicodeString
RequestTicketPacLogonDomainName UnicodeString
RequestTicketPacFullName UnicodeString
RequestTicketPacHomeDirectory UnicodeString
RequestTicketPacGroupIds UnicodeString
RequestTicketPacUserId UInt32
RequestTicketPacPrimaryGroupId UInt32
RequestTicketPacGroupCount UInt32
RequestTicketPacBadPasswordCount UInt32
RequestTicketPacLogonCount UInt32
RequestTicketPacUserAccountControlFlags UInt32
RequestTicketPacUserFlags UInt32
RequestTicketPacLogonTime FILETIME
RequestTicketPacLogoffTime FILETIME
RequestTicketPacKickOffTime FILETIME
RequestTicketPacPasswordLastSet FILETIME
RequestTicketPacLastSuccessfulLogon FILETIME
RequestTicketPacLastFailedLogon FILETIME
RequestTicketPacFailedAttemptCountSinceSuccessfulLogon UInt32

Event ID 2147483651: Could not find principal Principal.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

Could not find principal.

Message #

Could not find principal %1

Fields #

NameDescription
Principal
__binLength
binary

Event ID 2147483652: Domain Domain propagated to us but did not authenticate.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

Domain propagated to us but did not authenticate.

Message #

Domain %1 propagated to us but did not authenticate.

Fields #

NameDescription
Domain
__binLength
binary

Event ID 2147483660: A request failed from client realm ClientRealm for a ticket in realm Realm.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

A request failed from client realm for a ticket in realm . This failed because a trust link between the realms is non transitive.

Message #

A request failed from client realm %1 for a ticket in realm %2. This failed because a trust link between the realms is non transitive.

Fields #

NameDescription
ClientRealm
Realm
__binLength
binary

Event ID 2147483667: This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable ...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.

Message #

This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.

Event ID 2147483668: The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.

Message #

The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.

Event ID 2147483669: The client certificate for the user Domain\Username is not valid, and resulted in a failed smartcard logon.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The client certificate for the user Domain\Username is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : Status

Message #

The client certificate for the user %1\%2 is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : %3

Fields #

NameDescription
Domain
Username
Status
__binLength
binary

Event ID 2147483670: The KDC encountered a trust loop when building a list of trusted domains.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The KDC encountered a trust loop when building a list of trusted domains. This indicates that the route to the domain from this KDC has more than one possible trust path.

Message #

The KDC encountered a trust loop when building a list of trusted domains. This indicates that the route to the domain %1 from this KDC has more than one possible trust path.

Fields #

NameDescription
Domain
__binLength
binary

Event ID 2147483671: The KDC received invalid messages of type Type.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The KDC received invalid messages of type .

Message #

The KDC received invalid messages of type %1.

Fields #

NameDescription
Type
__binLength
binary

Event ID 2147483672: A service ticket request by client Client for Server was rejected because User2User was required.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

A service ticket request by client Client for Server was rejected because User2User was required. The KDC responds with this error when a client requests a service ticket for a user principal (a security risk). The client must support User2User in order to obtain a service ticket for the requested service principal

Message #

A service ticket request by client %1 for %2 was rejected because User2User was required. The KDC responds with this error when a client requests a service ticket for a user principal (a security risk). The client must support User2User in order to obtain a service ticket for the requested service principal

Fields #

NameDescription
Client
Server
__binLength
binary

Event ID 2147483673: The account Name from domain Domain is attempting to use S4USelf for the target client Target, but is not allowed to perform group expansion on this client's...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The account Name from domain Domain is attempting to use S4USelf for the target client Target, but is not allowed to perform group expansion on this client's user object. It may be necessary to adjust the ACL on the TokenGroupsGlobalAndUniversal attribute on the target client's user object to allow S4USelf to function correctly. This can also be accomplished by adding Name to the Windows Authorization Access Group.

Message #

The account %1 from domain %2 is attempting to use S4USelf for the target client %3, but is not allowed to perform group expansion on this client's user object. It may be necessary to adjust the ACL on the TokenGroupsGlobalAndUniversal attribute on the target client's user object to allow S4USelf to function correctly. This can also be accomplished by adding %1 to the Windows Authorization Access Group.

Fields #

NameDescription
Name
Domain
Target
__binLength
binary

Event ID 2147483676: When generating a cross realm referral from domain Domain the KDC was not able to find the suitable key to verify the ticket.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

When generating a cross realm referral from domain Domain the KDC was not able to find the suitable key to verify the ticket. The ticket key version in the request was RequestedKeyVersion and the available key version was AvailableKeyVersion. This most common reason for this error is a delay in replicating the keys. In order to remove this problem try forcing replication or wait for the replication of keys to occur.

Message #

When generating a cross realm referral from domain %1 the KDC was not able to find the suitable key to verify the ticket. The ticket key version in the request was %2 and the available key version was %3. This most common reason for this error is a delay in replicating the keys. In order to remove this problem try forcing replication or wait for the replication of keys to occur.

Fields #

NameDescription
Domain
RequestedKeyVersion
AvailableKeyVersion
__binLength
binary

Event ID 2147483677: The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

Message #

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

Event ID 2147483678: The Kerberos Key Distribution Center failed to locate the forest or domain Forest to search.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Kerberos Key Distribution Center failed to locate the forest or domain Forest to search. Please ensure that the forest search order policy is correctly configured, and that this forest or domain is available.

Message #

The Kerberos Key Distribution Center failed to locate the forest or domain %1 to search.  Please ensure that the forest search order policy is correctly configured, and that this forest or domain is available.

Fields #

NameDescription
Forest
__binLength
binary

Event ID 2147483679: A ticket to the service Server is issued for account Account.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

A ticket to the service Server is issued for account Account. The size of the encrypted part of this ticket is EncryptedTicketSize bytes, which is close or greater than the configured ticket size threshold (TicketSizeThreshold bytes). This ticket or any additional tickets issued from this ticket might result in authentication failures if the client or server application allocates SSPI token buffers bounded by a value that is close to the threshold value. The size of ticket is largely determined by the size of authorization data it carries. The size of authorization data is determined by the groups the account is member of, the claims data the account is setup for, and the resource groups resolved in the resource domain.

Message #

A ticket to the service %2 is issued for account %1. The size of the encrypted part of this ticket is %3 bytes, which is close or greater than the configured ticket size threshold (%4 bytes). This ticket or any additional tickets issued from this ticket might result in authentication failures if the client or server application allocates SSPI token buffers bounded by a value that is close to the threshold value.
The size of ticket is largely determined by the size of authorization data it carries. The size of authorization data is determined by the groups the account is member of, the claims data the account is setup for, and the resource groups resolved in the resource domain.

Fields #

NameDescription
Account
Server
EncryptedTicketSize
TicketSizeThreshold
__binLength
binary

Event ID 2147483680: The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device ce...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device certificate logon and smart card logon from non-domain-joined devices. Enrollment of a KDC certificate with KDC EKU (Kerberos Authentication template) is required to remove this warning.

Message #

The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device certificate logon and smart card logon from non-domain-joined devices. Enrollment of a KDC certificate with KDC EKU (Kerberos Authentication template) is required to remove this warning.

Event ID 2147483681: The Key Distribution Center (KDC) encountered failures when updating the krbtgt account for the Dynamic Access Control and Kerberos armoring policy...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Key Distribution Center (KDC) encountered failures when updating the krbtgt account for the Dynamic Access Control and Kerberos armoring policy capability for the domain. This update was performed so that all the domain controllers including read-only domain controllers (RODCs) in this domain could advertise support for Dynamic Access Control and Kerberos armoring. This failure indicates that there could be domain controllers that have not received updated krbtgt account values. If the update to the krbtgt account is in transit, then you can run Gpupdate /force as a possible workaround to this failure. More information about this update: Object Rid: %1 Update bits: %2 Bitmask: %3 Error Code: %4

Message #

The Key Distribution Center (KDC) encountered failures when updating the krbtgt account for the Dynamic Access Control and Kerberos armoring policy capability for the domain. This update was performed so that all the domain controllers including read-only domain controllers (RODCs) in this domain could advertise support for Dynamic Access Control and Kerberos armoring. This failure indicates that there could be domain controllers that have not received updated krbtgt account values. If the update to the krbtgt account is in transit, then you can run Gpupdate /force as a possible workaround to this failure. More information about this update:

  Object Rid: %1
  Update bits: %2
  Bitmask: %3
  Error Code: %4

Event ID 2147483682: The Key Distribution Center (KDC) has the Dynamic Access Control and Kerberos armoring policy configured for a level which requires a higher domain...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Key Distribution Center (KDC) has the Dynamic Access Control and Kerberos armoring policy configured for a level which requires a higher domain functional level. Until the domain functional level is raised, the KDC will only support the level configured as Supported.

Message #

The Key Distribution Center (KDC) has the Dynamic Access Control and Kerberos armoring policy configured for a level which requires a higher domain functional level. Until the domain functional level is raised, the KDC will only support the level configured as Supported.

Event ID 2147483683: The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) from another KDC that did not contain a PAC attributes field.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) from another KDC (IssuingKDC) that did not contain a PAC attributes field. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

Message #

The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) from another KDC (%1) that did not contain a PAC attributes field. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

Fields #

NameDescription
IssuingKDC
__binLength
binary

Event ID 2147483684: The Key Distribution Center (KDC) encountered a ticket that did not contain a PAC while processing a request for another ticket.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Key Distribution Center (KDC) encountered a ticket that did not contain a PAC while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more. Client: ClientRealm\\ClientName Ticket for: ServerName

Message #

The Key Distribution Center (KDC) encountered a ticket that did not contain a PAC while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

  Client: %1\\%2
  Ticket for: %3

Fields #

NameDescription
ClientRealm
ClientName
ServerName
__binLength
binary

Event ID 2147483685: The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processin...

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more. Ticket PAC constructed by: IssuingKDC Client: ClientRealm\\ClientName Ticket for: ServerName

Message #

The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

  Ticket PAC constructed by: %1
  Client: %2\\%3
  Ticket for: %4

Fields #

NameDescription
IssuingKDC
ClientRealm
ClientName
ServerName
__binLength
binary

Event ID 2147483686: The Key Distribution Center (KDC) encountered a ticket that contained inconsistent information about the account that requested the ticket.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Key Distribution Center (KDC) encountered a ticket that contained inconsistent information about the account that requested the ticket. This could mean that the account has been renamed since the ticket was issued, which may have been part of an attempted exploit. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more. Ticket PAC constructed by: IssuingKDC Client: ClientRealm\\ClientName Ticket for: ServerName Requesting Account SID from Active Directory: ActiveDirectorySID Requesting Account SID from Ticket: TicketSID

Message #

The Key Distribution Center (KDC) encountered a ticket that contained inconsistent information about the account that requested the ticket. This could mean that the account has been renamed since the ticket was issued, which may have been part of an attempted exploit. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

  Ticket PAC constructed by: %1
  Client: %2\\%3
  Ticket for: %4
  Requesting Account SID from Active Directory: %5
  Requesting Account SID from Ticket: %6

Fields #

NameDescription
IssuingKDC
ClientRealm
ClientName
ServerName
ActiveDirectorySID
TicketSID
__binLength
binary

Event ID 2147483687: The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Message #

The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user via explicit mapping. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more.

  User: %1
  Certificate Subject: %2
  Certificate Issuer: %3
  Certificate Serial Number: %4
  Certificate Thumbprint: %5
  Certificate Issuance Policies: %6

Event ID 2147483688: The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Message #

The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). The certificate also predated the user it mapped to, so it was rejected. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more.

  User: %1
  Certificate Subject: %2
  Certificate Issuer: %3
  Certificate Serial Number: %4
  Certificate Thumbprint: %5
  Certificate Issuance Policies: %6
  Certificate Issuance Time: %7
  Account Creation Time: %8

Event ID 2147483689: The Key Distribution Center (KDC) encountered a user certificate that was valid but contained a different SID than the user to which it mapped.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Message #

The Key Distribution Center (KDC) encountered a user certificate that was valid but contained a different SID than the user to which it mapped. As a result, the request involving the certificate failed. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more.

  User: %1
 User SID: %2
 Certificate Subject: %3
  Certificate Issuer: %4
  Certificate Serial Number: %5
  Certificate Thumbprint: %6
  Certificate Issuance Policies: %7
  Certificate SID: %8

Event ID 2147483690: The Kerberos Key Distribution Center lacks strong keys for account %1.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Kerberos Key Distribution Center lacks strong keys for account .

Message #

The Kerberos Key Distribution Center lacks strong keys for account %1.

You must update the password of this account to prevent use of insecure cryptography. 

See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

Event ID 2147483691: The Key Distribution Center (KDC) encountered a ticket that it could not validate the full PAC Signature.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Key Distribution Center (KDC) encountered a ticket that it could not validate the full PAC Signature. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

Message #

The Key Distribution Center (KDC) encountered a ticket that it could not validate the full PAC Signature. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

  Client: %1\\%2

Event ID 2147483692: The Key Distribution Center (KDC) encountered a ticket that did not contained the full PAC Signature.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Key Distribution Center (KDC) encountered a ticket that did not contained the full PAC Signature. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

Message #

The Key Distribution Center (KDC) encountered a ticket that did not contained the full PAC Signature. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

  Client: %1\\%2

Event ID 2147483693: The Key Distribution Center (KDC) encountered a client certificate that was valid but did not chain to a root in the NTAuth store.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Message #

The Key Distribution Center (KDC) encountered a client certificate that was valid but did not chain to a root in the NTAuth store. Support for certificates that do not chain to the NTAuth store is deprecated. See https://go.microsoft.com/fwlink/?linkid=2300705 to learn more.

  User: %1
  Certificate Subject: %2
  Certificate Issuer: %3
  Certificate Serial Number: %4
  Certificate Thumbprint: %5

Event ID 3221225477: The KDC failed to update policy class Class.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The KDC failed to update policy class . The error is in the data.

Message #

The KDC failed to update policy class %1. The error is in the data.

Fields #

NameDescription
Class
__binLength
binary

Event ID 3221225478: The KDC failed to update the trusted domain list.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The KDC failed to update the trusted domain list. The error is in the data.

Message #

The KDC failed to update the trusted domain list. The error is in the data.

Event ID 3221225479: The Security Account Manager failed a KDC request in an unexpected way.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was and lookup type .

Message #

The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was %1 and lookup type %2.

Fields #

NameDescription
AccountName
LookupType
__binLength
binary

Event ID 3221225480: The account AccountName did not have a suitable key for generating a Kerberos ticket.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The account AccountName did not have a suitable key for generating a Kerberos ticket. If the encryption type is supported, changing or setting the password will generate a proper key. The missing key type may be in the data field.

Message #

The account %1 did not have a suitable key for generating a Kerberos ticket. If the encryption type is supported, changing or setting the password will generate a proper key.  The missing key type may be in the data field.

Fields #

NameDescription
AccountName
__binLength
binary

Event ID 3221225482: The attempt to change the password on the KRBTGT account failed.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The attempt to change the password on the KRBTGT account failed. The error code is in the data field.

Message #

The attempt to change the password on the KRBTGT account failed. The error code is in the data field

Event ID 3221225483: The KDC encountered duplicate names while processing a Kerberos authentication request.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is Name (of type Type). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occurring remove the duplicate entries for Name in Active Directory.

Message #

The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is %1 (of type %2). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occurring remove the duplicate entries for %1 in Active Directory.

Fields #

NameDescription
Name
Type
__binLength
binary

Event ID 3221225485: The account for Name has corrupt keys stored in the DS.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The account for has corrupt keys stored in the DS. Changing or setting the password should restore correct keys.

Message #

The account for %1 has corrupt keys stored in the DS. Changing or setting the password should restore correct keys.

Fields #

NameDescription
Name
__binLength
binary

Event ID 3221225486: While processing an AS request for target service Target, the account Account did not have a suitable key for generating a Kerberos ticket.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

While processing an AS request for target service Target, the account Account did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of ID). The requested etypes : RequestedEtypes. The accounts available etypes : AvailableEtypes. Changing or resetting the password of AccountToReset will generate a proper key.

Message #

While processing an AS request for target service %1, the account %2 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of %3). The requested etypes : %4. The accounts available etypes : %5. Changing or resetting the password of %6 will generate a proper key.

Fields #

NameDescription
Target
Account
ID
RequestedEtypes
AvailableEtypes
AccountToReset
__binLength
binary

Event ID 3221225487: The request for an AS ticket for client Client was forwarded to the PDC.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

The request for an AS ticket for client Client was forwarded to the PDC. An invalid response to this forwarded request was detected and could indicate an attempt to spoof your PDC. There may be additional information in the data field.

Message #

The request for an AS ticket for client %1 was forwarded to the PDC. An invalid response to this forwarded request was detected and could indicate an attempt to spoof your PDC. There may be additional information in the data field.

Fields #

NameDescription
Client
__binLength
binary

Event ID 3221225488: While processing a TGS request for the target server Target, the account Account did not have a suitable key for generating a Kerberos ticket.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

While processing a TGS request for the target server Target, the account Account did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of ID). The requested etypes were RequestedEtypes. The accounts available etypes were AvailableEtypes. Changing or resetting the password of AccountToReset will generate a proper key.

Message #

While processing a TGS request for the target server %1, the account %2 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of %3). The requested etypes were %4. The accounts available etypes were %5. Changing or resetting the password of %6 will generate a proper key.

Fields #

NameDescription
Target
Account
ID
RequestedEtypes
AvailableEtypes
AccountToReset
__binLength
binary

Event ID 3221225489: When updating policy class Class, the KDC encountered invalid policy data and has failed to update the policy.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

When updating policy class , the KDC encountered invalid policy data and has failed to update the policy.

Message #

When updating policy class %1, the KDC encountered invalid policy data and has failed to update the policy.

Fields #

NameDescription
Class
__binLength
binary

Event ID 3221225490: During TGS processing, the KDC was unable to verify the signature on the PAC from Name.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

During TGS processing, the KDC was unable to verify the signature on the PAC from . This indicates the PAC was modified.

Message #

During TGS processing, the KDC was unable to verify the signature on the PAC from %1. This indicates the PAC was modified.

Fields #

NameDescription
Name
__binLength
binary

Event ID 3221225498: While processing an AS request for target service Target, the account Name did not have a suitable key for generating a Kerberos ticket.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

While processing an AS request for target service Target, the account Name did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of ID). The requested etypes were RequestedEtypes. The accounts available etypes were AvailableETypes.

Message #

While processing an AS request for target service %1, the account %2 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of %3). The requested etypes were %4. The accounts available etypes were %5.

Fields #

NameDescription
Target
Name
ID
RequestedEtypes
AvailableETypes
__binLength
binary

Event ID 3221225499: While processing a TGS request for the target server Target, the account Name did not have a suitable key for generating a Kerberos ticket.

#
Provider
Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel
Operational

Description

While processing a TGS request for the target server Target, the account Name did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of ID). The requested etypes were RequestedEtypes. The accounts available etypes were AvailableETypes.

Message #

While processing a TGS request for the target server %1, the account %2 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of %3). The requested etypes were %4. The accounts available etypes were %5.

Fields #

NameDescription
Target
Name
ID
RequestedEtypes
AvailableETypes
__binLength
binary

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 3fd9da1a-5a54-46c5-9a26-9bd7c0685056

Defined in kdcsvc.dll, which carries the event manifest.

Observed on:

  • WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.4893, captured 2026-06-02

Downloads