Kerberos Failure Due To Ticket Expiration

We log many 673 events daily on our domain controllers (DCs). Most don't have a username. Here's a typical example:

Host: DELL1600
Log: Security
Type: FailureAudit
Date: 03/29/2006 23:59:59
Source: Security
Category: Account Logon
Event ID: 673
Message: Service Ticket Request:
User Name:
User Domain:
Service Name:
Service ID: -
Ticket Options: 0x2
Ticket Encryption Type: --
Client Address:
Failure Code: 0x20
Logon GUID: --
How should we respond to these events?

Failure code 0x20 (37 in decimal) indicates an expired ticket, which is a typical Kerberos operation. Kerberos tickets have an initial renewal lifetime and a total lifetime after which renewals fail and the client must obtain a new ticket. You can ignore Kerberos failures that are due to ticket expiration. In fact, I recommend filtering these events from your central log database if you have an agent-based event log management system. For a list of security log management solutions go to http://www.ultimate

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.