4771 Kerberos pre-authentication failed

Written when the KDC could not issue a TGT due to pre-authentication failure. It is the cornerstone of authentication-failure monitoring for catching password spraying and brute force over the Kerberos path.

Overview

The subcategory is Audit Kerberos Authentication Service. It is generated when pre-authentication (the mechanism that verifies, before issuing a TGT, that the requester holds the correct password) fails, recorded only on domain controllers. Causes include a wrong password, expiration, and smart-card certificate problems. It is not generated for accounts with pre-authentication disabled (see 4768 in that case).

How it is triggered

• A logon attempt with a wrong password on a domain account.
• The reason appears in Failure Code. Common examples:
  • 0x18 wrong password (correct username + wrong password) = the main signal of spraying/brute force
  • 0x12 account disabled/locked/expired/out of hours
  • 0x6 nonexistent username (a sign of enumeration)

Security review points

• Password spraying: a pattern where Failure Code 0x18 failures spread from one source across many accounts. Use a threshold such as more than 50 0x18 events in one minute. Attacks over the LDAP/Kerberos path that produce no 4625 (NTLM-type failures) are caught by this 4771.
• Brute force: consecutive 0x18 against a single account. Correlate with lockout 4740.
• A burst of 0x6 (unknown user) indicates username enumeration. Aggregate by source IP (Client Address).

Notes for log review

• “Self-inflicted” failures by devices/services holding old credentials are also common. Separate attack from configuration-induced causes by source IP and target account.
• Beyond 4771, combine TGT requests 4768, NTLM validation 4776, and lockout 4740 to build the full picture of authentication failures.

Key fields

References

• Microsoft Learn: 4771(F) Kerberos pre-authentication failed.
• Splunk: Windows Multiple Users Failed To Authenticate Using Kerberos