Unlike the logon events described earlier in this appendix, the following security event messages track activity specifically in relation to Kerberos logon attempts, which require Active Directory.
Parameters: User name of client, domain name of client, SID of client, SID of service, ticket options, failure code, ticket encryption type, preauthentication type (such as PK_INIT), client IP address.
Configurable Information: Success
Formal name: SE_AUDITID_AS_TICKET_SUCCESS
This event occurs on the Key Distribution Center (KDC) when a Kerberos logon attempt takes place. One AS ticket is granted per logon session.
Parameters: User name of client, domain name of client, user name of service, SID of service, ticket options, ticket encryption type, client IP address.
Configurable Information: Success
Formal name: SE_AUDITID_TGS_TICKET_SUCCESS
This event occurs on the KDC and means that a user presented an AS ticket and was given a TGS ticket for some service.
Parameters: User name of client, domain name of client, user name of service, SID of service, ticket options, ticket encryption type, client IP address.
Configurable Information: Success
Formal name: SE_AUDITID_TICKET_RENEW_SUCCESS
This event occurs on the KDC and is currently only caused by non-Windows-based clients because Windows-based clients do not renew tickets, but reacquire them instead. This event occurs on the KDC user name of the client.
Parameters: User name of client, SID of client, user name of service, preauthentication type, failure code, client IP address.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_PREAUTH_FAILURE
This event message is generated on the KDC for reasons such as the user typing in a wrong password, a large difference between the clock time on the client and the KDC, or a smart card logon error.
Parameters: User name of client, SID of client, user name of service, SID of service, preauthentication type, failure code, client IP address.
Configurable Information: Failure
Formal name: SE_AUDITID_TGS_TICKET_FAILURE
This audit occurs on the KDC.
Parameters: Source, client name, mapped name.
Configurable Information: Success
Formal name: SE_AUDITID_ACCOUNT_MAPPED
An account mapping is a map of a user authenticated in an MIT Kerberos realm to a domain account.
Parameters: Logon attempt by, logon account, source workstation, error code, if relevant.
Configurable Information: Success or Failure
Formal name: SE_AUDITID_ACCOUNT_LOGON
This audit appears on the domain controller or wherever the account exists. The following error codes are possible:
Unknown user name or bad password (1326)
Account logon time restriction violation (1328)
Account currently disabled (1331)
The specified user account has expired (1793)
User not allowed to log on at this computer (1329)
The user has not been granted the requested logon type at this computer (1327)
The specified account s password has expired (1330)
The Net Logon service is not active (1792)
In each of these events, descriptive text gives detailed information about each specific logon attempt. Also, on Windows XP Professional you can enable success and failure auditing of the Account Logon category of events, which enables the following events:
Authentication ticket granted
Service ticket granted
Ticket renewed
Preauthentication failed
Authentication ticket request failed
Service ticket request failed
Account mapped for logon
Account could not be mapped for logging on
Account used for logging on
The following account logon events are included in Logon Events earlier in this appendix:
682 A user has reconnected to a disconnected terminal server session.
683 A user disconnected a terminal server session without logging off.