4772 A Kerberos authentication ticket request failed

A defined but never-generated event. A failed TGT request is recorded instead as a failure event of 4768.

Overview

The subcategory is Audit Kerberos Authentication Service. As the original docs state, this event is defined but is not invoked or generated by the OS. When a TGT request fails, a failure (F) event of 4768 (A Kerberos authentication ticket (TGT) was requested) appears instead.

How it is triggered

• By definition, on a failed Kerberos authentication ticket request, but in practice it does not occur.

Security review points

• There is no need to make this event a detection target. Catch failed TGT requests and pre-authentication failures via 4768 (failure) and 4771 respectively.

Notes for log review

• It is effectively never recorded, so it is low priority for review. For Kerberos failures, look at 4768/4771.

Key fields

No specific fields carry practical meaning (since it is not generated).

References

• Microsoft Learn: 4772(F) A Kerberos authentication ticket request failed.