Windows Server domain controller displaying Kerberos authentication service logs in a data center environment

Event ID 4112InformationMicrosoft-Windows-Security-KerberosWindows

Windows Event ID 4112 – Kerberos: Kerberos Authentication Service (AS) Started

Event ID 4112 indicates the Kerberos Authentication Service (AS) has successfully started on a domain controller, enabling authentication ticket granting for domain users and services.

Emanuel DE ALMEIDA

18 March 20269 min read 0

Event ID 4112Microsoft-Windows-Security-Kerberos 5 methods 9 min

Event Reference

What This Event Means

Event ID 4112 represents a successful initialization of the Kerberos Authentication Service on Windows domain controllers. The Kerberos AS is responsible for authenticating users and computers in Active Directory environments, issuing ticket-granting tickets that enable single sign-on across domain resources.

When a domain controller boots or the Kerberos service restarts, the AS component performs initialization checks including cryptographic key validation, realm configuration verification, and encryption algorithm setup. Event 4112 confirms this process completed successfully and the service is ready to handle authentication requests.

The event typically includes information about the Kerberos realm (usually matching your AD domain name), supported encryption types (AES256, AES128, RC4), and service principal names. This data helps administrators verify proper Kerberos configuration and troubleshoot authentication issues.

In multi-domain forests, each domain controller generates this event independently. Monitoring 4112 across all DCs provides visibility into authentication service availability and helps identify potential issues before they impact user logons or service authentication.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025

Analysis

Possible Causes

Domain controller startup or reboot completion
Manual restart of the Kerberos Key Distribution Center (KDC) service
Recovery from Kerberos service failure or crash
Application of Windows updates requiring service restart
Active Directory database recovery operations
Group Policy changes affecting Kerberos configuration
Network adapter or DNS configuration changes requiring service refresh

Resolution Methods

Troubleshooting Steps

Verify Event Details in Event Viewer

Start by examining the complete event details to understand the Kerberos service startup context.

Open Event Viewer on the domain controller
Navigate to Windows Logs → Security
Filter for Event ID 4112 using the filter option
Double-click the most recent 4112 event to view details
Review the General tab for realm information and encryption types
Check the Details tab for additional Kerberos configuration data

Look for the realm name (should match your domain), supported encryption algorithms, and any error codes. Normal events show successful initialization with multiple encryption types available.

Pro tip: Compare the encryption types listed with your domain's Kerberos policy to ensure proper algorithm support.

Query Events with PowerShell

Use PowerShell to retrieve and analyze Kerberos AS startup events across multiple domain controllers.

# Get recent Event ID 4112 entries
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4112} -MaxEvents 10

# Get detailed event information
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4112} -MaxEvents 5 | Format-List TimeCreated, Id, LevelDisplayName, Message

# Check for events in the last 24 hours
$StartTime = (Get-Date).AddDays(-1)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4112; StartTime=$StartTime}

# Query multiple DCs (replace with your DC names)
$DCs = @('DC01', 'DC02', 'DC03')
foreach ($DC in $DCs) {
    Write-Host "Checking $DC..."
    Invoke-Command -ComputerName $DC -ScriptBlock {
        Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4112} -MaxEvents 1 -ErrorAction SilentlyContinue
    }
}

This approach helps identify patterns in Kerberos service startups and compare timing across domain controllers.

Verify Kerberos Service Status

Confirm the Kerberos Key Distribution Center service is running properly after seeing Event 4112.

# Check KDC service status
Get-Service -Name 'KDC' | Format-List Name, Status, StartType

# Verify service dependencies
Get-Service -Name 'KDC' -DependentServices
Get-Service -Name 'KDC' -RequiredServices

# Check service startup type and account
Get-WmiObject -Class Win32_Service -Filter "Name='KDC'" | Select Name, StartMode, StartName, State

# Review recent service events
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Service Control Manager'} | Where-Object {$_.Message -like '*KDC*'} | Select TimeCreated, Id, LevelDisplayName, Message

Additionally, verify the service is listening on the correct ports:

# Check Kerberos ports (88 TCP/UDP, 464 TCP/UDP)
netstat -an | findstr :88
netstat -an | findstr :464

Warning: Never manually stop the KDC service on a production domain controller as it will break authentication for all domain users.

Analyze Kerberos Configuration

Review the domain's Kerberos configuration to ensure proper setup that corresponds with Event 4112 details.

# Check domain Kerberos policy settings
Get-ADDefaultDomainPasswordPolicy | Select KerberosEncryptionType, MaxPasswordAge, MinPasswordAge

# Review Kerberos-related Group Policy settings
Get-GPOReport -All -ReportType Html -Path C:\Temp\GPOReport.html

# Check domain functional level (affects Kerberos features)
Get-ADDomain | Select DomainMode, Forest
Get-ADForest | Select ForestMode

# Verify SPN registration for domain controllers
setspn -L $env:COMPUTERNAME

# Check for duplicate SPNs that could cause Kerberos issues
setspn -X

Review registry settings for Kerberos configuration:

# Check Kerberos registry settings
Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters' -ErrorAction SilentlyContinue

Examine the HKLM\SYSTEM\CurrentControlSet\Services\KDC registry key for service configuration and startup parameters.

Monitor Kerberos Health and Performance

Implement comprehensive monitoring to track Kerberos service health beyond just startup events.

# Create a monitoring script for Kerberos events
$Events = @(4112, 4768, 4769, 4771, 4625)
foreach ($EventID in $Events) {
    $Count = (Get-WinEvent -FilterHashtable @{LogName='Security'; Id=$EventID; StartTime=(Get-Date).AddHours(-1)} -ErrorAction SilentlyContinue).Count
    Write-Host "Event $EventID in last hour: $Count"
}

# Monitor authentication performance
Get-Counter -Counter '\Kerberos v5 AS Requests/sec', '\Kerberos v5 TGS Requests/sec' -SampleInterval 5 -MaxSamples 12

# Check for Kerberos errors
Get-WinEvent -FilterHashtable @{LogName='Security'; Level=2,3; StartTime=(Get-Date).AddDays(-1)} | Where-Object {$_.Message -like '*Kerberos*'}

Set up automated monitoring using Windows Task Scheduler or System Center Operations Manager to alert on missing 4112 events during expected startup times. Create a baseline of normal Kerberos service restart patterns to identify anomalies.

Pro tip: Use Performance Monitor to track Kerberos authentication counters alongside Event 4112 monitoring for comprehensive authentication service health visibility.

Overview

Event ID 4112 fires when the Kerberos Authentication Service (AS) successfully starts on a Windows domain controller. This event appears in the Security log during DC startup or when the Kerberos service restarts after maintenance. The AS component is critical for domain authentication, handling initial ticket-granting ticket (TGT) requests from domain clients.

This informational event confirms that your domain controller can process Kerberos authentication requests. You'll typically see this during planned reboots, service restarts, or after applying security updates. The event includes details about the Kerberos realm and encryption types supported by the service.

While this is a normal operational event, monitoring 4112 helps track DC availability and Kerberos service health. Missing or delayed 4112 events during startup may indicate authentication service issues that could impact domain logons across your environment.

Frequently Asked Questions

What does Event ID 4112 mean and when should I see it?+

Event ID 4112 indicates the Kerberos Authentication Service has successfully started on a domain controller. You should see this event during DC startup, after service restarts, or following Windows updates. It's a normal informational event that confirms your domain controller is ready to handle Kerberos authentication requests. The event appears in the Security log and includes details about the Kerberos realm and supported encryption types.

Should I be concerned if I don't see Event ID 4112 after a domain controller reboot?+

Yes, missing Event ID 4112 after a DC reboot could indicate Kerberos service startup issues. Check the System log for service-related errors, verify the KDC service status using Get-Service -Name 'KDC', and ensure no Group Policy or registry changes are preventing proper Kerberos initialization. Users may experience authentication failures if the Kerberos AS doesn't start correctly. Investigate immediately if this event is missing after expected startup times.

Can Event ID 4112 help troubleshoot domain authentication problems?+

Absolutely. Event 4112 confirms the Kerberos Authentication Service is operational, which is essential for domain authentication. If users report login issues, check for recent 4112 events to verify the AS is running. The event details show supported encryption types - mismatches between client and server encryption capabilities can cause authentication failures. Compare the realm information in the event with your domain configuration to identify potential issues.

How often should I expect to see Event ID 4112 in my environment?+

Event ID 4112 frequency depends on your maintenance schedule and system stability. Expect to see it during planned reboots, monthly patch cycles, or after applying Group Policy changes affecting Kerberos. In stable environments, you might see it weekly or monthly. Frequent 4112 events could indicate service instability, unexpected reboots, or configuration issues causing service restarts. Monitor the pattern to establish a baseline for your environment.

What encryption types should I see in Event ID 4112 for modern Windows environments?+

Modern Windows environments should show AES256-CTS-HMAC-SHA1-96 and AES128-CTS-HMAC-SHA1-96 as primary encryption types in Event 4112. You may also see RC4-HMAC for backward compatibility, but this should be disabled in high-security environments. Windows Server 2019 and later support these strong encryption algorithms by default. If you only see RC4 or DES encryption types, review your domain's Kerberos policy and consider updating legacy systems that might be forcing weaker encryption.

Documentation

References (2)

Microsoft Learn - Kerberos Authentication OverviewComprehensive guide to Kerberos authentication in Windows Server environments, including service configuration and troubleshooting.https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview

Microsoft Docs - Security Auditing EventsOfficial documentation covering Windows security events, including Kerberos authentication events and their meanings.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview

Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Discussion

Share your thoughts and insights

You must be logged in to comment.

Loading comments...