Macs & Active Directory kerberos errors

bbot
Contributor

This might be a long shot. In our environment, we have ~600 Macs in Active Directory.
In less than 2 hours, our splunk auditing logs are reporting over 16,000 events of "kerberos pre-authentication failed". Microsoft eventcode 4771 , failure 0x18. The log is going against the computer object, not the user.

I know for Windows machines, they automatically contact active directory and change their computer passwords. I'm wondering if the Macs are failing to do so and are somehow generating these errors. Any Active Directory and Mac experts out there that have any insight?

4 REPLIES 4

mlavine
Contributor

@bbot You are not alone. Here is the main thread for the discussion around this known issue.

Sierra AD Account Lockout When Setting Up iCloud

Matt_Ellis
Contributor II

Does ticket viewer show any old , expired Kerberos tickets or anything strange like 60 tickets per system?

bbot
Contributor

@Matt.Ellis I haven't gotten a chance to take a look at a workstation and this hasn't been affecting any of my test machines.

@mlavine My issue is a bit different. The user accounts aren't getting locked out. It's saying that the computer object is trying a failed login attempt. In the past hour, over 16,000 events.

Here's an example below of what I'm seeing.

11/08/2016 12:54:34 PM
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4771
EventType=0
Show all 31 lines
Event Actions
Type Field Value Actions
Selected

host DOMAIN CONTROLLER

source WinEventLog:Security

sourcetype WinEventLog:Security Event

Account_Name c02p6098fvh9$

Client_Address ::ffff:10.32.XXX.X

Client_Port 57463

ComputerName DOMAIN CONTROLLER.us

EventCode 4771

EventType 0

Failure_Code 0x18

Keywords Audit Failure

LogName Security

Message Kerberos pre-authentication failed. Account Information: Security ID: CORPc02p6098fvh9$ Account Name: c02p6098fvh9$ Service Information: Service Name: krbtgt/XXXXXXX Network Information: Client Address: ::ffff:10.32.XXX.X Client Port: 57463 Additional Information: Ticket Options: 0x40000000 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

bwiessner
Contributor II

@bbot

I am getting the same thing here too - Kerberos pre-authentication failed 4771. On Sierra Ma

Seems to be random and or we don't know the reasoning why yet. Anymore info would be appreciated.