ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Event ID 4771WarningMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4771 – Microsoft-Windows-Security-Auditing: Kerberos Pre-authentication Failed

Event ID 4771 indicates a Kerberos pre-authentication failure, typically caused by incorrect passwords, expired accounts, or time synchronization issues between client and domain controller.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4771Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4771 represents a critical security audit event that occurs when Kerberos pre-authentication fails on a Windows domain controller. The Kerberos protocol requires clients to prove knowledge of their password through pre-authentication before the Key Distribution Center (KDC) issues authentication tickets. When this initial verification fails, the domain controller logs this event with detailed information about the failure.

The event contains several important fields including the account name that failed authentication, the client's IP address, the failure code indicating the specific reason for failure, and the certificate information if certificate-based authentication was attempted. Common failure codes include 0x18 (bad password), 0x12 (account disabled), 0x17 (password expired), and 0x25 (clock skew too great).

From a security perspective, Event ID 4771 serves as an early warning system for potential attacks. Multiple 4771 events from the same source IP targeting different accounts may indicate a password spray attack, while repeated failures against a single account could suggest a brute force attempt. Security teams often configure SIEM systems to alert on patterns of these events to detect malicious activity before accounts become compromised.

The event also plays a crucial role in troubleshooting legitimate authentication issues. When users report login problems, examining 4771 events helps administrators quickly identify whether the issue stems from incorrect passwords, account lockouts, expired credentials, or infrastructure problems like time synchronization issues between clients and domain controllers.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Incorrect password entries - Users typing wrong passwords or using outdated credentials
  • Account lockouts - Accounts disabled due to multiple failed login attempts or administrative action
  • Expired passwords - User passwords that have exceeded the domain password policy maximum age
  • Time synchronization issues - Clock skew between client and domain controller exceeding the maximum tolerance (typically 5 minutes)
  • Disabled user accounts - Accounts that have been administratively disabled or are inactive
  • Password spray attacks - Malicious actors attempting common passwords against multiple accounts
  • Brute force attacks - Repeated login attempts against specific accounts with different passwords
  • Service account issues - Automated services using incorrect or expired credentials
  • Certificate authentication failures - Smart card or certificate-based authentication problems
  • Network connectivity problems - Intermittent network issues causing authentication timeouts
Resolution Methods

Troubleshooting Steps

01

Analyze Event Details in Event Viewer

Start by examining the specific details of Event ID 4771 to understand the failure reason and affected account.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4771 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4771 in the Event IDs field and click OK
  5. Double-click on recent 4771 events to examine the details
  6. Note the Account Name, Client Address, and Failure Code in the event description
  7. Cross-reference the failure code: 0x18 (bad password), 0x12 (account disabled), 0x17 (password expired), 0x25 (clock skew)
Pro tip: Use the failure code to quickly identify the root cause. Code 0x18 indicates password issues, while 0x25 points to time synchronization problems.
02

Query Events with PowerShell for Pattern Analysis

Use PowerShell to analyze patterns in 4771 events and identify potential security threats or systematic issues.

  1. Open PowerShell as Administrator
  2. Query recent 4771 events with detailed information:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4771} -MaxEvents 100 | 
Select-Object TimeCreated, @{Name='Account';Expression={$_.Properties[0].Value}}, 
@{Name='ClientAddress';Expression={$_.Properties[6].Value}}, 
@{Name='FailureCode';Expression={$_.Properties[4].Value}} | 
Format-Table -AutoSize
  1. Identify patterns by grouping events by client address:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4771} -MaxEvents 500 | 
Group-Object @{Expression={$_.Properties[6].Value}} | 
Sort-Object Count -Descending | 
Select-Object Name, Count | Format-Table
  1. Check for potential password spray attacks by analyzing account distribution:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4771} -MaxEvents 1000 | 
Group-Object @{Expression={$_.Properties[0].Value}} | 
Where-Object {$_.Count -gt 5} | 
Sort-Object Count -Descending
Warning: High event counts from single IP addresses may indicate malicious activity. Investigate immediately and consider blocking suspicious IPs.
03

Verify Account Status and Password Policy

Check the affected user account status and verify password policy compliance to resolve authentication issues.

  1. Open Active Directory Users and Computers (dsa.msc)
  2. Locate the affected user account mentioned in the 4771 event
  3. Right-click the account and select Properties
  4. Check the Account tab for account status:
    • Verify Account is disabled is unchecked
    • Check if Account is locked out and unlock if necessary
    • Review Account expires settings
  5. Examine password settings on the Account tab:
    • Note if User must change password at next logon is checked
    • Check Password never expires status
  6. Use PowerShell to check account details programmatically:
Get-ADUser -Identity "username" -Properties PasswordLastSet, PasswordExpired, 
LockedOut, Enabled, AccountExpirationDate | 
Select-Object Name, Enabled, LockedOut, PasswordExpired, PasswordLastSet, AccountExpirationDate
  1. Reset the password if needed:
Set-ADAccountPassword -Identity "username" -Reset -NewPassword (ConvertTo-SecureString "NewPassword123!" -AsPlainText -Force)
Set-ADUser -Identity "username" -ChangePasswordAtLogon $true
04

Check Time Synchronization and Network Connectivity

Resolve time synchronization issues and network problems that can cause Kerberos pre-authentication failures.

  1. Check time synchronization on the client machine experiencing authentication issues:
w32tm /query /status
w32tm /query /peers
  1. Compare client time with domain controller time:
$DCTime = Invoke-Command -ComputerName "DC01" -ScriptBlock {Get-Date}
$LocalTime = Get-Date
$TimeDiff = ($DCTime - $LocalTime).TotalMinutes
Write-Host "Time difference: $TimeDiff minutes"
  1. Force time synchronization if the difference exceeds 5 minutes:
w32tm /resync /force
  1. Test network connectivity to the domain controller:
Test-NetConnection -ComputerName "DC01.domain.com" -Port 88
Test-NetConnection -ComputerName "DC01.domain.com" -Port 389
  1. Verify Kerberos service availability:
nslookup -type=SRV _kerberos._tcp.domain.com
nltest /dsgetdc:domain.com
  1. Clear Kerberos ticket cache on the client if time sync was corrected:
klist purge
klist tickets
Pro tip: Configure NTP properly on all domain members to prevent recurring time synchronization issues that cause authentication failures.
05

Implement Advanced Monitoring and Security Response

Set up comprehensive monitoring for Event ID 4771 to detect security threats and automate response procedures.

  1. Create a custom Event Viewer view for 4771 monitoring:
    • In Event Viewer, right-click Custom Views and select Create Custom View
    • Set Event Level to Warning and Event IDs to 4771
    • Add event sources: Microsoft-Windows-Security-Auditing
    • Save as "Kerberos Pre-auth Failures"
  2. Configure Windows Event Forwarding for centralized monitoring:
winrm quickconfig
wecutil cs subscription.xml
  1. Create a PowerShell script for automated threat detection:
# Monitor for potential password spray attacks
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4771; StartTime=(Get-Date).AddHours(-1)}
$SuspiciousIPs = $Events | Group-Object @{Expression={$_.Properties[6].Value}} | 
Where-Object {$_.Count -gt 10}

foreach ($IP in $SuspiciousIPs) {
    Write-Warning "Suspicious activity from IP: $($IP.Name) with $($IP.Count) failed attempts"
    # Add IP blocking logic here
}
  1. Set up scheduled task for regular monitoring:
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor4771.ps1"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15)
Register-ScheduledTask -TaskName "Monitor Kerberos Failures" -Action $Action -Trigger $Trigger
  1. Configure audit policy for comprehensive logging:
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
Warning: High-volume 4771 events can impact log storage. Implement log rotation and archiving strategies for long-term retention.

Overview

Event ID 4771 fires when Kerberos pre-authentication fails during the initial authentication request to a domain controller. This security audit event appears in the Security log when a user or service attempts to authenticate but provides incorrect credentials or encounters authentication barriers. The event captures critical details including the target account name, client address, and failure reason code.

Pre-authentication is the first step in the Kerberos authentication process where the client proves knowledge of the account password before receiving a Ticket Granting Ticket (TGT). When this step fails, Windows logs Event ID 4771 to help administrators identify potential security threats, account issues, or infrastructure problems.

This event commonly appears during brute force attacks, password spray attempts, or legitimate authentication issues caused by expired passwords, locked accounts, or time synchronization problems. Domain controllers generate this event for every failed pre-authentication attempt, making it valuable for security monitoring and troubleshooting authentication problems across Active Directory environments.

Frequently Asked Questions

What does Event ID 4771 mean and when should I be concerned?+
Event ID 4771 indicates a Kerberos pre-authentication failure, which occurs when a user or service provides incorrect credentials during the initial authentication step. You should be concerned when you see patterns of multiple 4771 events from the same IP address targeting different accounts (indicating password spray attacks) or repeated failures against the same account (suggesting brute force attempts). Occasional isolated events are normal and typically result from users mistyping passwords.
How can I distinguish between legitimate user errors and malicious attacks in 4771 events?+
Legitimate user errors typically show sporadic 4771 events from known internal IP addresses with reasonable time intervals between attempts. Malicious attacks often exhibit patterns like multiple rapid-fire attempts from external IPs, targeting numerous different accounts from the same source, or systematic attempts against service accounts. Use PowerShell to analyze event patterns by grouping events by source IP and account names to identify suspicious activity that requires investigation.
What are the most common failure codes in Event ID 4771 and what do they mean?+
The most common failure codes are: 0x18 (KDC_ERR_PREAUTH_FAILED) indicating incorrect password; 0x12 (KDC_ERR_CLIENT_REVOKED) for disabled accounts; 0x17 (KDC_ERR_PASSWORD_EXPIRED) for expired passwords; 0x25 (KDC_ERR_CLOCK_SKEW_TOO_GREAT) for time synchronization issues exceeding 5 minutes; and 0x6 (KDC_ERR_C_PRINCIPAL_UNKNOWN) for non-existent accounts. Understanding these codes helps quickly identify whether issues are password-related, account status problems, or infrastructure issues.
How do I prevent Event ID 4771 from recurring due to service account authentication failures?+
Service account authentication failures often result from expired passwords or incorrect service configurations. First, identify the service account from the 4771 event details, then check its password expiration status using Get-ADUser. Configure service accounts with non-expiring passwords where appropriate, or implement Managed Service Accounts (MSA) or Group Managed Service Accounts (gMSA) which handle password rotation automatically. Update service configurations to use the correct credentials and test authentication using runas or PowerShell with the service account credentials.
Can Event ID 4771 impact system performance, and how should I manage high-volume logging?+
High-volume 4771 events during attacks can impact domain controller performance and consume significant log space. The Security log has a finite size, and excessive 4771 events can cause important security events to be overwritten. Implement log forwarding to a centralized SIEM system, configure appropriate log retention policies, and consider increasing Security log size on domain controllers. Use event filtering and automated response scripts to handle high-volume scenarios, and implement network-level blocking for confirmed malicious IP addresses to reduce authentication attempts.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive guide to Windows security auditing events including Kerberos authentication failureshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Kerberos Authentication Technical ReferenceTechnical documentation covering Kerberos protocol implementation and troubleshooting in Windows environmentshttps://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4771#kerberos-authentication#security-auditing

Related Windows Events

Windows domain controller monitoring dashboard showing Active Directory authentication events and security logs
Event 4776
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4776 – Microsoft-Windows-Security-Auditing: Computer Account Authentication

Event ID 4776 logs computer account authentication attempts in Active Directory environments, tracking domain controller validation of computer credentials during logon processes.

March 189 min
Windows Security Event Viewer displaying Event ID 4625 authentication failure logs on a security monitoring dashboard
Event 4625
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4625 – Microsoft-Windows-Security-Auditing: An Account Failed to Log On

Event ID 4625 records failed logon attempts in Windows Security logs. Critical for detecting unauthorized access attempts, brute force attacks, and troubleshooting authentication issues across domain and local accounts.

March 1812 min
Windows Security Event Viewer displaying authentication events on a SOC monitoring dashboard
Event 4648
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4648 – Microsoft-Windows-Security-Auditing: Logon Attempted Using Explicit Credentials

Event ID 4648 fires when a user or process attempts authentication using explicit credentials different from their current logon session, commonly seen with RunAs, network authentication, or service account operations.

March 1812 min
Windows Security Event Viewer displaying Event ID 4647 user logoff events on a security monitoring dashboard
Event 4647
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 4647 – Microsoft-Windows-Security-Auditing: User Initiated Logoff

Event ID 4647 records when a user initiates a logoff from a Windows session. This security audit event tracks user-initiated disconnections for compliance and security monitoring purposes.

March 189 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...