- Jamf Nation Community
- Products
- Jamf Pro
- Re: Macs & Active Directory kerberos errors
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Macs & Active Directory kerberos errors
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-07-2016 04:23 PM
This might be a long shot. In our environment, we have ~600 Macs in Active Directory.
In less than 2 hours, our splunk auditing logs are reporting over 16,000 events of "kerberos pre-authentication failed". Microsoft eventcode 4771 , failure 0x18. The log is going against the computer object, not the user.
I know for Windows machines, they automatically contact active directory and change their computer passwords. I'm wondering if the Macs are failing to do so and are somehow generating these errors. Any Active Directory and Mac experts out there that have any insight?
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-08-2016 05:07 AM
@bbot You are not alone. Here is the main thread for the discussion around this known issue.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-08-2016 08:18 AM
Does ticket viewer show any old , expired Kerberos tickets or anything strange like 60 tickets per system?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-08-2016 01:20 PM
@Matt.Ellis I haven't gotten a chance to take a look at a workstation and this hasn't been affecting any of my test machines.
@mlavine My issue is a bit different. The user accounts aren't getting locked out. It's saying that the computer object is trying a failed login attempt. In the past hour, over 16,000 events.
Here's an example below of what I'm seeing.
11/08/2016 12:54:34 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4771
EventType=0
Show all 31 lines
Event Actions
Type
Field Value Actions
Selected
host DOMAIN CONTROLLER
source WinEventLog:Security
sourcetype WinEventLog:Security Event
Account_Name c02p6098fvh9$
Client_Address ::ffff:10.32.XXX.X
Client_Port 57463
ComputerName DOMAIN CONTROLLER.us
EventCode 4771
EventType 0
Failure_Code 0x18
Keywords Audit Failure
LogName Security
Message Kerberos pre-authentication failed. Account Information: Security ID: CORPc02p6098fvh9$ Account Name: c02p6098fvh9$ Service Information: Service Name: krbtgt/XXXXXXX Network Information: Client Address: ::ffff:10.32.XXX.X Client Port: 57463 Additional Information: Ticket Options: 0x40000000 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-05-2016 12:06 PM
I am getting the same thing here too - Kerberos pre-authentication failed 4771. On Sierra Ma
Seems to be random and or we don't know the reasoning why yet. Anymore info would be appreciated.
