Kerberos Failure Due To Ticket Expiration

You can ignore Kerberos failure due to ticket expiration; in fact, you might want to filter these events from your central log database.

ITPro Today

July 16, 2006

1 Min Read
ITPro Today logo

We log many 673 events daily on our domain controllers (DCs). Most don't have a username. Here's a typical example:

Host: DELL1600
Log: Security
Type: FailureAudit
Date: 03/29/2006 23:59:59
Source: Security
Category: Account Logon
Event ID: 673
Message: Service Ticket Request:
User Name:
User Domain:
Service Name:
Service ID: -
Ticket Options: 0x2
Ticket Encryption Type: --
Client Address:
Failure Code: 0x20
Logon GUID: --
How should we respond to these events?

Failure code 0x20 (37 in decimal) indicates an expired ticket, which is a typical Kerberos operation. Kerberos tickets have an initial renewal lifetime and a total lifetime after which renewals fail and the client must obtain a new ticket. You can ignore Kerberos failures that are due to ticket expiration. In fact, I recommend filtering these events from your central log database if you have an agent-based event log management system. For a list of security log management solutions go to http://www.ultimate

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like