4774 An account was mapped for logon
Written when presented credentials are mapped (associated) to an account for logon. It captures the process of tying external identity information to an internal account, such as in certificate logon.
Overview
The subcategory is Audit Credential Validation. It is generated when, during authentication, presented identity information (such as a certificate subject) is associated with an actual account. Mapping failure is recorded by 4775.
How it is triggered
- When a certificate is mapped to an AD account in smart-card/certificate-based logon.
- When the authentication package performs account mapping.
Security review points
- Confirm the mapped-to account is as expected. Misconfiguration or abuse of certificate mapping (such as associating an illicit certificate with a privileged account) can lead to impersonation.
- Together with the failure version 4775, track the success and target of mapping.
Notes for log review
- It only carries meaning in environments using certificate/smart-card authentication. Without those, it barely appears.
- Check whether the correspondence between the mapping source (certificate subject, etc.) and the mapped account matches normal patterns.
Key fields
| Field | Meaning |
|---|---|
Authentication Package | The authentication package used |
Mapped Account | The account mapped to |