4775 An account could not be mapped for logon
Written when presented credentials could not be mapped to an account. Paired with the success version 4774, it captures mapping failures.
Overview
The subcategory is Audit Credential Validation. It is generated when, during authentication, presented identity information could not be associated with an existing account. Causes include no account matching the certificate subject, or not matching the mapping rules.
How it is triggered
- A logon attempt where no AD account corresponds to the certificate/smart-card subject.
- Presentation of credentials that do not match the mapping rules.
Security review points
- If mapping failures are frequent, consider, besides misconfiguration, authentication attempts with illicit certificates or attacks against certificate-based authentication (attempts to exploit improper mapping).
- Together with success 4774, check which identity information failed to map.
Notes for log review
- It only carries meaning in certificate/smart-card authentication environments.
- Check the failure source and the presented identity information to separate misconfiguration from attack.
Key fields
| Field | Meaning |
|---|---|
Authentication Package | The authentication package used |
| Mapping target identity | The mapping source that failed |