Hi,
we have Windows 2012 DC on a 2008 Functional level.
Each Kerberos request is generating two 4769 Events. The fist one is missing the Logon GUID and Sercive ID and therefore fails.
A Kerberos service ticket was requested.
Account Information:
Account Name:
Account Domain:
Logon GUID: {00000000-0000-0000-0000-000000000000}
Service Information:
Service Name:
Service ID: NULL SID
Network Information:
Client Address: <ip_address>
Client Port: <port_no>
Additional Information:
Ticket Options: 0x40810000
Ticket Encryption Type: 0xFFFFFFFF
Failure Code: 0x1B
Transited Services: -
The next event is also 4769
Account Information:
Account Name: <name>
Account Domain: <domain> Logon GUID: {1027c6be-21cf-44dc-7c64-38eabfb2f614}
Service Information:
Service Name: <service_name>
Service ID: <service_id>
Network Information:
Client Address: <ip_address>
Client Port: <port_no>
Additional Information:
Ticket Options: 0x40810008
Ticket Encryption Type: 0x12
Failure Code: 0x0
Transited Services: - Because of the Failiure Code of 0x1B (means: KDC is unavailable) these Events are interpreted as Auth Failiures by the SIEM.
I've seen this question (https://social.technet.microsoft.com/Forums/windows/de-DE/3aea2937-b116-4a86-aebc-fc529452125d/event-4769-flooding-security-logs-2008r2) with a different Failiure Code but we have no clients eralier than 2008 in our network.
Maybe this is a client configuration error, because the fist event has no valid Logon GUID ans Service ID.
Anyone had the same problm and was able to solve this?