Service Ticket Request: User Name: %1 User Domain: %2 Service Name: %3 Service ID: %4 Ticket Options: %5 Ticket Encryption Type: %6 Client Address: %7 Failure Code: %8 Logon GUID: %9 Transited Services: %10

Details
Product: Windows Operating System
Event ID: 673
Source: Security
Version: 5.0
Symbolic Name: SE_AUDITID_TGS_TICKET_REQUEST
Message: Service Ticket Request: User Name: %1 User Domain: %2 Service Name: %3 Service ID: %4 Ticket Options: %5 Ticket Encryption Type: %6 Client Address: %7 Failure Code: %8 Logon GUID: %9 Transited Services: %10
   
Explanation

This message indicates that the domain controller either issued or failed to issue a Kerberos service ticket. The following list describes the types of information displayed in the individual message fields.

The User Name field displays the name of the user who requested the service ticket or the name of the user for whom the ticket was requested.

The Service Name field displays the service to which access was requested.

The Ticket Options field displays a number representing the Key Domain Controller (KDC)Option flags that were used or requested when the ticket was issued. KDC Option flags include information such as whether a ticket can be forwarded or renewed. The number in the Ticket Options field is a bit mask, and each bit is defined by The Internet Engineering Taskforce in Request for Comments (RFC) 1510.

The Ticket Encryption Type field displays the code for the Kerberos encryption type (etype)used on the ticket request. The Internet Engineering Taskforce defined four universal encryption types, which are included in the following list. In addition, there are Microsoft-specific encryption types.

CodeTicket Encryption Type

>

>

0 Null
1 des-cbc-crc
2 des-cbc-md4
3 des-cbc-md5
Microsoft-specific etypes:
23 rc4-hmac (NT one-way function)
24 rc4-hmac-exp (NT OWF for export)

The Client Address field displays the IP address of the computer that sent the Ticket Granting Service (TGS) request. If the request was made locally, then the address will be listed as 127.0.0.1.

The Failure Code field displays the Kerberos error code for the reason that the domain controller was unable to issue the service ticket. Kerberos error codes are defined in RFC 1510. The most common failure code is 24 (0x18, pre-authentication failed), which means that the user or service requesting the ticket supplied an incorrect password. Failure code 12 (0xC) means that the logon was disallowed by policy, such as account expired, disabled or locked out, logon hour violation, or logon workstation restriction.

The Logon GUID field displays a unique number that can be used to correlate the ticket request event with a Logon/Logoff event on the computer where the requested service resides. For successful logons, compare the value with the corresponding value in the Security 540 event on the computre where the requested service resides.

The Transited Services field displays an ordered list of services or applications through which the user’s credentials have been authenticated by means of constrained delegation.

If any of these fields are blank or contain a hyphen (-), then that information either was not available at the time the event was logged, or does not apply to this specific ticket request.

   
User Action

No user action is required. For more information about the Kerberos protocol, refer to RFC 1510 at the Internet Engineering Taskforce Web site at: http://www.ietf.org.

Related:

Leave a Reply