Account Logon Events
Unlike the logon events described earlier in this appendix, the following security event messages track activity specifically in relation to Kerberos logon attempts, which require Active Directory.
672 An authentication service (AS) ticket was successfully issued and validated.
Parameters: User name of client, domain name of client, SID of client, SID of service, ticket options, failure code, ticket encryption type, preauthentication type (such as PK_INIT), client IP address.
Configurable Information: Success
Formal name: SE_AUDITID_AS_TICKET_SUCCESS
This event occurs on the Key Distribution Center (KDC) when a Kerberos logon attempt takes place. One AS ticket is granted per logon session.
673 A ticket granting service (TGS) ticket was granted.
Parameters: User name of client, domain name of client, user name of service, SID of service, ticket options, ticket encryption type, client IP address.
Configurable Information: Success
Formal name: SE_AUDITID_TGS_TICKET_SUCCESS
This event occurs on the KDC and means that a user presented an AS ticket and was given a TGS ticket for some service.
674 A principal renewed an AS ticket or TGS ticket.
Parameters: User name of client, domain name of client, user name of service, SID of service, ticket options, ticket encryption type, client IP address.
Configurable Information: Success
Formal name: SE_AUDITID_TICKET_RENEW_SUCCESS
This event occurs on the KDC and is currently only caused by non-Windows-based clients because Windows-based clients do not renew tickets, but reacquire them instead. This event occurs on the KDC user name of the client.
675 Preauthentication failed.
Parameters: User name of client, SID of client, user name of service, preauthentication type, failure code, client IP address.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_PREAUTH_FAILURE
This event message is generated on the KDC for reasons such as the user typing in a wrong password, a large difference between the clock time on the client and the KDC, or a smart card logon error.
677 A TGS ticket was not granted.
Parameters: User name of client, SID of client, user name of service, SID of service, preauthentication type, failure code, client IP address.
Configurable Information: Failure
Formal name: SE_AUDITID_TGS_TICKET_FAILURE
This audit occurs on the KDC.
678 An account was successfully mapped to a domain account.
Parameters: Source, client name, mapped name.
Configurable Information: Success
Formal name: SE_AUDITID_ACCOUNT_MAPPED
An account mapping is a map of a user authenticated in an MIT Kerberos realm to a domain account.
681 A domain account logon attempt was made.
Parameters: Logon attempt by, logon account, source workstation, error code, if relevant.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_ACCOUNT_LOGON
This audit appears on the domain controller or wherever the account exists. The following error codes are possible:
-
Unknown user name or bad password (1326)
-
Account logon time restriction violation (1328)
-
Account currently disabled (1331)
-
The specified user account has expired (1793)
-
User not allowed to log on at this computer (1329)
-
The user has not been granted the requested logon type at this computer (1327)
-
The specified account s password has expired (1330)
-
The Net Logon service is not active (1792)
In each of these events, descriptive text gives detailed information about each specific logon attempt. Also, on Windows XP Professional you can enable success and failure auditing of the Account Logon category of events, which enables the following events:
-
Authentication ticket granted
-
Service ticket granted
-
Ticket renewed
-
Preauthentication failed
-
Authentication ticket request failed
-
Service ticket request failed
-
Account mapped for logon
-
Account could not be mapped for logging on
-
Account used for logging on
The following account logon events are included in Logon Events earlier in this appendix:
682 A user has reconnected to a disconnected terminal server session.
683 A user disconnected a terminal server session without logging off.
EAN: N/A
Pages: 338