Commander Commander

Sudden disappearance of Windows Event 4768 following March 2017 MS Patches

I noticed that our domain controllers were no longer sending Security event 4768 (Kerberos authentication ticket was requested) following March 2017 Microsoft patches (e.g. KB4012213 or KB4012216).  It seems as if Microsoft may have moved this event to a different audit policy that we had not enabled in our environment.  Enabling Account Logon: Kerberos Service Ticket Operations resolved the issue - and indeed this seems like the most logical policy to associate with event 4768 CORRECTION:  The "Other Account Logon Events" Subcategory resolved the issue.  Perhaps this was formerly tied to the Account Logon:  Kerberos Authentication Service policy category.

When I did a cursory Google search on this issue I found only one relevant discussion (reddit).

Did anyone else notice this change?  Has Microsoft documented this change (if they did, we didn't notice in the release notes)?

Labels (3)
1 Reply
Absent Member.
Absent Member.

It was actually the subcategory "Other Account Logon Events" and not "Kerberos Service Ticket Operations"

This setting can be found in group policy located under Computer Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Account Logon.

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.