Microsoft-Windows-Kerberos-Key-Distribution-Center

134 events across 6 channels

Event ID	Title	Channel
3		Operational
4		Operational
5		Operational
6		Operational
7		Operational
8		Operational
9	The password on the KRBTGT account was changed.	Operational
10		Operational
11		Operational
12		Operational
13		Operational
14		Operational
15		Operational
16		Operational
17		Operational
18		Operational
19		Operational
20		Operational
21		Operational
22		Operational
23		Operational
24		Operational
25		Operational
26		Operational
27		Operational
28		Operational
29		Operational
30		Operational
31		Operational
32		Operational
33		Operational
34		Operational
35		Operational
36		Operational
37		Operational
37		System
38		Operational
39		Operational
40		Operational
41		Operational
42		Operational
43		Operational
44		Operational
45		Operational
100		Operational
100	AS exchange performance: AS-REQ processing begins	Performance
101		Operational
101	AS exchange performance: AS-REP or KRB-ERROR returned.	Performance
102		Operational
102	TGS exchange performance: TGS-REQ processing begins	Performance
103		Operational
103	TGS exchange performance: TGS-REQ or KRB-ERROR returned.	Performance
104	Kerberos preauthentication by using DES or RC4 failed because the account was a …	ProtectedUserFailures-DomainController
104		Operational
105	A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not …	AuthenticationPolicyFailures-DomainController
105		Operational
106	A Kerberos service ticket was denied because the user, device, or both does not …	AuthenticationPolicyFailures-DomainController
106		Operational
120	The Key Distribution Center (KDC) failed to validate its current KDC …	Operational
200	The Key Distribution Center (KDC) cannot find a suitable certificate to use.	Operational
201		Operational
201	The Key Distribution Center (KDC) detected Cipher usage that will be unsupported …	System
202		Operational
202	The Key Distribution Center (KDC) detected Cipher usage that will be unsupported …	System
203		Operational
203	The Key Distribution Center (KDC) blocked cipher usage because service …	System
204		Operational
204	The Key Distribution Center (KDC) blocked cipher usage because the service …	System
205		Operational
205	The Key Distribution Center (KDC) detected explicit insecure cipher enablement …	System
300	The Key Distribution Center (KDC) is being started.	Operational
301	The Key Distribution Center (KDC) has stopped with error code: ErrorCode.	Operational
302	The Key Distribution Center (KDC) uses the below KDC certificate for smart card …	Operational
303	A Kerberos ticket-granting-ticket (TGT) was issued for a member of the Protected …	ProtectedUserSuccesses-DomainController
303		Operational
304	A Kerberos service ticket was issued for a member of the Protected User group.	ProtectedUserSuccesses-DomainController
304		Operational
305	A Kerberos ticket-granting-ticket (TGT) was issued, but it will be denied when …	AuthenticationPolicyFailures-DomainController
305		Operational
306	A Kerberos service ticket was issued, but it will be denied when Authentication …	AuthenticationPolicyFailures-DomainController
306		Operational
307	The Key Distribution Center (KDC) used the PKINIT protocol with encryption mode …	Operational
308	The Key Distribution Center (KDC) is unable to use the PKINIT protocol because …	Operational
309	The kerberos client used a hash algorithm for the PKINIT protocol that is being …	Operational
310	The kerberos client used a hash algorithm for the PKINIT protocol that is not …	Operational
311	The Kerberos client did not supply a supported encryption type for use with the …	Operational
312	The Key Distribution Center (KDC) has an invalid hash algorithm configuration …	Operational
313	The Key Distribution Center (KDC) encountered invalid certificate strong name …	Operational
314	An unauthorized Kerberos client attempted to fetch DMSA keys.	Operational
315	A Kerberos client attempted to fetch DMSA keys.	Operational
400	A Kerberos authentication ticket (TGT) was requested.	Operational
401	A Kerberos service ticket was requested.	Operational
2147483651	Could not find principal %1.	Operational
2147483652	Domain %1 propagated to us but did not authenticate.	Operational
2147483660	A request failed from client realm %1 for a ticket in realm %2.	Operational
2147483667	This event indicates an attempt was made to use smartcard logon, but the KDC is …	Operational
2147483668	The currently selected KDC certificate was once valid, but now is invalid and no …	Operational
2147483669	The client certificate for the user %1\%2 is not valid, and resulted in a failed …	Operational
2147483670	The KDC encountered a trust loop when building a list of trusted domains.	Operational
2147483671	The KDC received invalid messages of type %1.	Operational
2147483672	A service ticket request by client %1 for %2 was rejected because User2User was …	Operational
2147483673	The account %1 from domain %2 is attempting to use S4USelf for the target client …	Operational
2147483676	When generating a cross realm referral from domain %1 the KDC was not able to …	Operational
2147483677	The Key Distribution Center (KDC) cannot find a suitable certificate to use for …	Operational
2147483678	The Kerberos Key Distribution Center failed to locate the forest or domain %1 to …	Operational
2147483679	A ticket to the service %2 is issued for account %1.	Operational
2147483680	The Key Distribution Center (KDC) uses a certificate without KDC Extended Key …	Operational
2147483681	The Key Distribution Center (KDC) encountered failures when updating the krbtgt …	Operational
2147483682	The Key Distribution Center (KDC) has the Dynamic Access Control and Kerberos …	Operational
2147483683	The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) …	Operational
2147483684	The Key Distribution Center (KDC) encountered a ticket that did not contain a …	Operational
2147483685	The Key Distribution Center (KDC) encountered a ticket that did not contain …	Operational
2147483686	The Key Distribution Center (KDC) encountered a ticket that contained …	Operational
2147483687	The Key Distribution Center (KDC) encountered a user certificate that was valid …	Operational
2147483688	The Key Distribution Center (KDC) encountered a user certificate that was valid …	Operational
2147483689	The Key Distribution Center (KDC) encountered a user certificate that was valid …	Operational
2147483690	The Kerberos Key Distribution Center lacks strong keys for account %1.	Operational
2147483691	The Key Distribution Center (KDC) encountered a ticket that it could not …	Operational
2147483692	The Key Distribution Center (KDC) encountered a ticket that did not contained …	Operational
2147483693	The Key Distribution Center (KDC) encountered a client certificate that was …	Operational
3221225477	The KDC failed to update policy class %1.	Operational
3221225478	The KDC failed to update the trusted domain list.	Operational
3221225479	The Security Account Manager failed a KDC request in an unexpected way.	Operational
3221225480	The account %1 did not have a suitable key for generating a Kerberos ticket.	Operational
3221225482	The attempt to change the password on the KRBTGT account failed.	Operational
3221225483	The KDC encountered duplicate names while processing a Kerberos authentication …	Operational
3221225485	The account for %1 has corrupt keys stored in the DS.	Operational
3221225486	While processing an AS request for target service %1, the account %2 did not …	Operational
3221225487	The request for an AS ticket for client %1 was forwarded to the PDC.	Operational
3221225488	While processing a TGS request for the target server %1, the account %2 did not …	Operational
3221225489	When updating policy class %1, the KDC encountered invalid policy data and has …	Operational
3221225490	During TGS processing, the KDC was unable to verify the signature on the PAC …	Operational
3221225498	While processing an AS request for target service %1, the account %2 did not …	Operational
3221225499	While processing a TGS request for the target server %1, the account %2 did not …	Operational

Event ID 3 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Principal` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 4 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Domain` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 5 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Class` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 6 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Event ID 7 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`AccountName` UnicodeString	—
`LookupType` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 8 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`AccountName` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 9 — The password on the KRBTGT account was changed.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The password on the KRBTGT account was changed.

Message #

The password on the KRBTGT account was changed.

Event ID 10 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Event ID 11 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Name` UnicodeString	—
`Type` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 12 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`ClientRealm` UnicodeString	—
`Realm` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 13 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Name` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 14 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Target` UnicodeString	—
`Account` UnicodeString	—
`ID` UnicodeString	—
`RequestedEtypes` UnicodeString	—
`AvailableEtypes` UnicodeString	—
`AccountToReset` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 15 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Client` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 16 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Target` UnicodeString	—
`Account` UnicodeString	—
`ID` UnicodeString	—
`RequestedEtypes` UnicodeString	—
`AvailableEtypes` UnicodeString	—
`AccountToReset` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 17 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Class` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 18 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Name` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 19 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Event ID 20 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Event ID 21 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Domain` UnicodeString	—
`Username` UnicodeString	—
`Status` UnicodeString	— NTSTATUS reference
`__binLength` UInt32	—
`binary` Binary	—

Event ID 22 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Domain` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 23 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Type` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 24 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Client` UnicodeString	—
`Server` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 25 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Name` UnicodeString	—
`Domain` UnicodeString	—
`Target` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 26 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Target` UnicodeString	—
`Name` UnicodeString	—
`ID` UnicodeString	—
`RequestedEtypes` UnicodeString	—
`AvailableETypes` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 27 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Target` UnicodeString	—
`Name` UnicodeString	—
`ID` UnicodeString	—
`RequestedEtypes` UnicodeString	—
`AvailableETypes` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 28 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Domain` UnicodeString	—
`RequestedKeyVersion` UnicodeString	—
`AvailableKeyVersion` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 29 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Event ID 30 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Forest` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 31 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`Account` UnicodeString	—
`Server` UnicodeString	—
`EncryptedTicketSize` UnicodeString	—
`TicketSizeThreshold` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 32 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Event ID 33 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Event ID 34 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Event ID 35 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`IssuingKDC` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 36 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`ClientRealm` UnicodeString	—
`ClientName` UnicodeString	—
`ServerName` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 37 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`IssuingKDC` UnicodeString	—
`ClientRealm` UnicodeString	—
`ClientName` UnicodeString	—
`ServerName` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 37 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: System
Level: Warning

Fields #

Name	Description
`IssuingKDC`	—
`ClientRealm`	—
`ClientName`	—
`ServerName`	—
`Binary`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kerberos-Key-Distribution-Center",
    "guid": "{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}",
    "event_source_name": "KDC",
    "event_id": 37,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-13T17:05:19.030305+00:00",
    "event_record_id": 10648,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "IssuingKDC": "LAB-DC01",
    "ClientRealm": "LUDUS.DOMAIN",
    "ClientName": "domainadmin",
    "ServerName": "krbtgt",
    "Binary": ""
  },
  "message": ""
}

Event ID 38 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`IssuingKDC` UnicodeString	—
`ClientRealm` UnicodeString	—
`ClientName` UnicodeString	—
`ServerName` UnicodeString	—
`ActiveDirectorySID` UnicodeString	—
`TicketSID` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 39 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`AccountName` UnicodeString	—
`Subject` UnicodeString	—
`Issuer` UnicodeString	—
`SerialNumber` UnicodeString	—
`Thumbprint` UnicodeString	—
`IssuancePolicies` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 40 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`AccountName` UnicodeString	—
`Subject` UnicodeString	—
`Issuer` UnicodeString	—
`SerialNumber` UnicodeString	—
`Thumbprint` UnicodeString	—
`IssuancePolicies` UnicodeString	—
`IssuanceTime` UnicodeString	—
`AccountCreationTime` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 41 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`AccountName` UnicodeString	—
`AccountSid` UnicodeString	—
`Subject` UnicodeString	—
`Issuer` UnicodeString	—
`SerialNumber` UnicodeString	—
`Thumbprint` UnicodeString	—
`IssuancePolicies` UnicodeString	—
`CertificateSid` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 42 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`AccountName` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 43 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`ClientRealm` UnicodeString	—
`ClientName` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 44 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`ClientRealm` UnicodeString	—
`ClientName` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 45 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`AccountName` UnicodeString	—
`Subject` UnicodeString	—
`Issuer` UnicodeString	—
`SerialNumber` UnicodeString	—
`Thumbprint` UnicodeString	—
`__binLength` UInt32	—
`binary` Binary	—

Event ID 100 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Task: KDCPerformance
Opcode: Start

Description

AS exchange performance: AS-REQ processing begins.

Event ID 100 — AS exchange performance: AS-REQ processing begins

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Performance
Task: KDCPerformance
Opcode: Start

Description

AS exchange performance: AS-REQ processing begins.

Message #

AS exchange performance: AS-REQ processing begins

Event ID 101 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Task: KDCPerformance
Opcode: Stop

Description

AS exchange performance: AS-REP or KRB-ERROR returned.

Fields #

Name	Description
`ClientDomain` UnicodeString	—
`ClientName` UnicodeString	—
`ServerDomain` UnicodeString	—
`ServerName` UnicodeString	—
`ErrorCode` UInt32	—
`TimeSpent` UInt32	—

Event ID 101 — AS exchange performance: AS-REP or KRB-ERROR returned.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Performance
Task: KDCPerformance
Opcode: Stop

Description

AS exchange performance: AS-REP or KRB-ERROR returned.

Message #

AS exchange performance: AS-REP or KRB-ERROR returned:

    client domain: %1
    client name: %2
    server domain: %3
    server name: %4
    ErrorCode: %5
    elapse: %6 milliseconds

Fields #

Name	Description
`ClientDomain` UnicodeString	—
`ClientName` UnicodeString	—
`ServerDomain` UnicodeString	—
`ServerName` UnicodeString	—
`ErrorCode` UInt32	—
`TimeSpent` UInt32	—

Event ID 102 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Task: KDCPerformance
Opcode: Start

Description

TGS exchange performance: TGS-REQ processing begins.

Event ID 102 — TGS exchange performance: TGS-REQ processing begins

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Performance
Task: KDCPerformance
Opcode: Start

Description

TGS exchange performance: TGS-REQ processing begins.

Message #

TGS exchange performance: TGS-REQ processing begins

Event ID 103 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Task: KDCPerformance
Opcode: Stop

Description

TGS exchange performance: TGS-REQ or KRB-ERROR returned.

Fields #

Name	Description
`ClientDomain` UnicodeString	—
`ClientName` UnicodeString	—
`ServerDomain` UnicodeString	—
`ServerName` UnicodeString	—
`ErrorCode` UInt32	—
`TimeSpent` UInt32	—

Event ID 103 — TGS exchange performance: TGS-REQ or KRB-ERROR returned.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Performance
Task: KDCPerformance
Opcode: Stop

Description

TGS exchange performance: TGS-REQ or KRB-ERROR returned.

Message #

TGS exchange performance: TGS-REQ or KRB-ERROR returned:

    client domain: %1
    client name: %2
    server domain: %3
    server name: %4
    ErrorCode: %5
    elapse: %6 milliseconds

Fields #

Name	Description
`ClientDomain` UnicodeString	—
`ClientName` UnicodeString	—
`ServerDomain` UnicodeString	—
`ServerName` UnicodeString	—
`ErrorCode` UInt32	—
`TimeSpent` UInt32	—

Event ID 104 — Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: ProtectedUserFailures-DomainController

Description

Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.

Message #

Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.

Account Information:
	Security ID: %2
	Account Name: %1

Service Information:
	Service Name: %3

Network Information:
	Client Address: %7
	Client Port: %8

Additional Information:
	Ticket Options: %4
	Failure Code: %5
	Pre-Authentication Type: %6

Certificate Information:
	Certificate Issuer Name: %9
	Certificate Serial Number: %10
	Certificate Thumbprint: %11

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetSid` SID	—
`ServiceName` UnicodeString	—
`TicketOptions` HexInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`Status` HexInt32	— NTSTATUS reference
`PreAuthType` UnicodeString	— Known values `0` PA-NONE `2` PA-ENC-TIMESTAMP `11` PA-ETYPE-INFO `14` PA-PK-AS-REQ-OLD `15` PA-PK-AS-REQ `16` PA-PK-AS-REP `17` PA-ETYPE-INFO2 `19` PA-ETYPE-INFO2 `20` PA-SVR-REFERRAL-INFO `128` PA-SUPPORTED-ENCTYPES `129` PA-PAC-OPTIONS `165` PA-SPAKE
`IpAddress` UnicodeString	—
`IpPort` UnicodeString	—
`CertIssuerName` UnicodeString	—
`CertSerialNumber` UnicodeString	—
`CertThumbprint` UnicodeString	—

Event ID 104 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

Kerberos preauthentication by using DES or RC4 failed because the account was a member of the Protected User group.

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetSid` SID	—
`ServiceName` UnicodeString	—
`TicketOptions` HexInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`Status` HexInt32	— NTSTATUS reference
`PreAuthType` UnicodeString	— Known values `0` PA-NONE `2` PA-ENC-TIMESTAMP `11` PA-ETYPE-INFO `14` PA-PK-AS-REQ-OLD `15` PA-PK-AS-REQ `16` PA-PK-AS-REP `17` PA-ETYPE-INFO2 `19` PA-ETYPE-INFO2 `20` PA-SVR-REFERRAL-INFO `128` PA-SUPPORTED-ENCTYPES `129` PA-PAC-OPTIONS `165` PA-SPAKE
`IpAddress` UnicodeString	—
`IpPort` UnicodeString	—
`CertIssuerName` UnicodeString	—
`CertSerialNumber` UnicodeString	—
`CertThumbprint` UnicodeString	—

Event ID 105 — A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: AuthenticationPolicyFailures-DomainController

Description

A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.

Message #

A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.

Account Information:
	Account Name: %1
	Supplied Realm Name: %2
	User ID: %3

Authentication Policy Information:
	Silo Name: %16
	Policy Name: %17
	TGT Lifetime: %18

Device Information:
	Device Name: %4

Service Information:
	Service Name: %5
	Service ID: %6

Network Information:
	Client Address: %11
	Client Port: %12

Additional Information:
	Ticket Options: %7
	Result Code: %8
	Ticket Encryption Type: %9
	Pre-Authentication Type: %10

Certificate Information:
	Certificate Issuer Name: %13
	Certificate Serial Number: %14
	Certificate Thumbprint: %15

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetDomainName` UnicodeString	—
`TargetSid` SID	—
`DeviceName` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceSid` SID	—
`TicketOptions` HexInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`Status` HexInt32	— NTSTATUS reference
`TicketEncryptionType` HexInt32	— Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`PreAuthType` UnicodeString	— Known values `0` PA-NONE `2` PA-ENC-TIMESTAMP `11` PA-ETYPE-INFO `14` PA-PK-AS-REQ-OLD `15` PA-PK-AS-REQ `16` PA-PK-AS-REP `17` PA-ETYPE-INFO2 `19` PA-ETYPE-INFO2 `20` PA-SVR-REFERRAL-INFO `128` PA-SUPPORTED-ENCTYPES `129` PA-PAC-OPTIONS `165` PA-SPAKE
`IpAddress` UnicodeString	—
`IpPort` UnicodeString	—
`CertIssuerName` UnicodeString	—
`CertSerialNumber` UnicodeString	—
`CertThumbprint` UnicodeString	—
`SiloName` UnicodeString	—
`PolicyName` UnicodeString	—
`TGTLifetime` UInt32	—

Event ID 105 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

A Kerberos Ticket-granting-ticket (TGT) was denied because the device does not meet the access control restrictions.

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetDomainName` UnicodeString	—
`TargetSid` SID	—
`DeviceName` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceSid` SID	—
`TicketOptions` HexInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`Status` HexInt32	— NTSTATUS reference
`TicketEncryptionType` HexInt32	— Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`PreAuthType` UnicodeString	— Known values `0` PA-NONE `2` PA-ENC-TIMESTAMP `11` PA-ETYPE-INFO `14` PA-PK-AS-REQ-OLD `15` PA-PK-AS-REQ `16` PA-PK-AS-REP `17` PA-ETYPE-INFO2 `19` PA-ETYPE-INFO2 `20` PA-SVR-REFERRAL-INFO `128` PA-SUPPORTED-ENCTYPES `129` PA-PAC-OPTIONS `165` PA-SPAKE
`IpAddress` UnicodeString	—
`IpPort` UnicodeString	—
`CertIssuerName` UnicodeString	—
`CertSerialNumber` UnicodeString	—
`CertThumbprint` UnicodeString	—
`SiloName` UnicodeString	—
`PolicyName` UnicodeString	—
`TGTLifetime` UInt32	—

Event ID 106 — A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: AuthenticationPolicyFailures-DomainController

Description

A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.

Message #

A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.

Account Information:
	Account Name: %1
	Account Domain: %2
	Logon GUID: %11

Authentication Policy Information:
	Silo Name: %13
	Policy Name: %14

Device Information:
	Device Name: %3

Service Information:
	Service Name: %4
	Service ID: %5

Network Information:
	Client Address: %8
	Client Port: %9

Additional Information:
	Ticket Options: %6
	Ticket Encryption Type: %7
	Failure Code: %10
	Transited Services: %12

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetDomainName` UnicodeString	—
`DeviceName` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceSid` SID	—
`TicketOptions` HexInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`TicketEncryptionType` HexInt32	— Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`IpAddress` UnicodeString	—
`IpPort` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference
`LogonGuid` GUID	—
`TransitedServices` UnicodeString	—
`SiloName` UnicodeString	—
`PolicyName` UnicodeString	—

Event ID 106 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetDomainName` UnicodeString	—
`DeviceName` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceSid` SID	—
`TicketOptions` HexInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`TicketEncryptionType` HexInt32	— Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`IpAddress` UnicodeString	—
`IpPort` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference
`LogonGuid` GUID	—
`TransitedServices` UnicodeString	—
`SiloName` UnicodeString	—
`PolicyName` UnicodeString	—

Event ID 120 — The Key Distribution Center (KDC) failed to validate its current KDC certificate.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Task: KDC

Description

The Key Distribution Center (KDC) failed to validate its current KDC certificate. This KDC might not be enabled for smart card or certificate authentication.

Message #

The Key Distribution Center (KDC) failed to validate its current KDC certificate. This KDC might not be enabled for smart card or certificate authentication.

Kdc Certificate Information:
  Issuer Name: %1
  Serial Number: %2
  Thumbprint: %3
  Template: %4
  Kerberos Error: %5
  Validation Error: %6

Fields #

Name	Description
`Issuer` UnicodeString	—
`SerialNumber` UnicodeString	—
`Thumbprint` UnicodeString	—
`Template` UnicodeString	—
`KerbErr` UInt32	—
`ErrorCode` UInt32	—

Event ID 200 — The Key Distribution Center (KDC) cannot find a suitable certificate to use.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Level: Warning
Task: KDC

Description

The Key Distribution Center (KDC) cannot find a suitable certificate to use. This KDC is not enabled for smart card or certificate authentication.

Message #

The Key Distribution Center (KDC) cannot find a suitable certificate to use. This KDC is not enabled for smart card or certificate authentication.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kerberos-Key-Distribution-Center",
    "guid": "3FD9DA1A-5A54-46C5-9A26-9BD7C0685056",
    "event_source_name": "",
    "event_id": 200,
    "version": 0,
    "level": 3,
    "task": 1,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T20:16:26.074299+00:00",
    "event_record_id": 1,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 7192
    },
    "channel": "Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 201 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Task: KDCExtendedAudit

Description

The Key Distribution Center (KDC) detected usage that will be unsupported because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types.

Fields #

Name	Description
`AccountName` UnicodeString	—
`SuppliedRealm` UnicodeString	—
`AccountSET` UnicodeString	—
`AccountKeys` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceID` SID	—
`ServiceSET` UnicodeString	—
`ServiceKeys` UnicodeString	—
`DCSET` UnicodeString	—
`DDSET` UnicodeString	—
`DCKeys` UnicodeString	—
`IpAddress` UnicodeString	—
`Port` UInt16	—
`AdvertizedEtypes` UnicodeString	—
`Cipher` UnicodeString	—

Event ID 201 — The Key Distribution Center (KDC) detected Cipher usage that will be unsupported because service msds-SupportedEncryptionTypes is not defined and the ...

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: System
Task: KDCExtendedAudit

Description

The Key Distribution Center (KDC) detected Cipher usage that will be unsupported because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types.

Message #

The Key Distribution Center (KDC) detected %15 usage that will be unsupported because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types. 

Account Information
	Account Name: %1 
	Supplied Realm Name: %2 
	msds-SupportedEncryptionTypes: %3 
	Available Keys: %4 
  
Service Information: 
	Service Name: %5 
	Service ID: %6 
	msds-SupportedEncryptionTypes: %7 
	Available Keys: %8 

Domain Controller Information: 
	msds-SupportedEncryptionTypes: %9 
	DefaultDomainSupportedEncTypes: %10 
	Available Keys: %11 

Network Information: 
	Client Address: %12 
	Client Port: %13 
	Advertized Etypes: %14 

See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.

Fields #

Name	Description
`AccountName` UnicodeString	—
`SuppliedRealm` UnicodeString	—
`AccountSET` UnicodeString	—
`AccountKeys` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceID` SID	—
`ServiceSET` UnicodeString	—
`ServiceKeys` UnicodeString	—
`DCSET` UnicodeString	—
`DDSET` UnicodeString	—
`DCKeys` UnicodeString	—
`IpAddress` UnicodeString	—
`Port` UInt16	—
`AdvertizedEtypes` UnicodeString	—
`Cipher` UnicodeString	—

Event ID 202 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Task: KDCExtendedAudit

Description

The Key Distribution Center (KDC) detected usage that will be unsupported because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.

Fields #

Name	Description
`AccountName` UnicodeString	—
`SuppliedRealm` UnicodeString	—
`AccountSET` UnicodeString	—
`AccountKeys` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceID` SID	—
`ServiceSET` UnicodeString	—
`ServiceKeys` UnicodeString	—
`DCSET` UnicodeString	—
`DDSET` UnicodeString	—
`DCKeys` UnicodeString	—
`IpAddress` UnicodeString	—
`Port` UInt16	—
`AdvertizedEtypes` UnicodeString	—
`Cipher` UnicodeString	—

Event ID 202 — The Key Distribution Center (KDC) detected Cipher usage that will be unsupported because the service msds-SupportedEncryptionTypes is not defined and ...

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: System
Task: KDCExtendedAudit

Description

The Key Distribution Center (KDC) detected Cipher usage that will be unsupported because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.

Message #

The Key Distribution Center (KDC) detected %15 usage that will be unsupported because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.   

Account Information  
	Account Name: %1 
	Supplied Realm Name: %2 
	msds-SupportedEncryptionTypes: %3 
	Available Keys: %4 

Service Information:  
	Service Name: %5 
	Service ID: %6 
	msds-SupportedEncryptionTypes: %7 
	Available Keys: %8 

Domain Controller Information:  
	msds-SupportedEncryptionTypes: %9 
	DefaultDomainSupportedEncTypes: %10 
	Available Keys: %11 

Network Information:  
	Client Address: %12 
	Client Port: %13 
	Advertized Etypes: %14 

See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.

Fields #

Name	Description
`AccountName` UnicodeString	—
`SuppliedRealm` UnicodeString	—
`AccountSET` UnicodeString	—
`AccountKeys` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceID` SID	—
`ServiceSET` UnicodeString	—
`ServiceKeys` UnicodeString	—
`DCSET` UnicodeString	—
`DDSET` UnicodeString	—
`DCKeys` UnicodeString	—
`IpAddress` UnicodeString	—
`Port` UInt16	—
`AdvertizedEtypes` UnicodeString	—
`Cipher` UnicodeString	—

Event ID 203 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Task: KDCExtendedAudit

Description

The Key Distribution Center (KDC) blocked cipher usage because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types.

Fields #

Name	Description
`AccountName` UnicodeString	—
`SuppliedRealm` UnicodeString	—
`AccountSET` UnicodeString	—
`AccountKeys` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceID` SID	—
`ServiceSET` UnicodeString	—
`ServiceKeys` UnicodeString	—
`DCSET` UnicodeString	—
`DDSET` UnicodeString	—
`DCKeys` UnicodeString	—
`IpAddress` UnicodeString	—
`Port` UInt16	—
`AdvertizedEtypes` UnicodeString	—

Event ID 203 — The Key Distribution Center (KDC) blocked cipher usage because service msds-SupportedEncryptionTypes is not defined and the client only supports in...

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: System
Task: KDCExtendedAudit

Description

The Key Distribution Center (KDC) blocked cipher usage because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types.

Message #

The Key Distribution Center (KDC) blocked cipher usage because service msds-SupportedEncryptionTypes is not defined and the client only supports insecure encryption types. 

Account Information  
	Account Name: %1 
	Supplied Realm Name: %2 
	msds-SupportedEncryptionTypes: %3 
	Available Keys: %4 

Service Information:  
	Service Name: %5 
	Service ID: %6 
	msds-SupportedEncryptionTypes: %7 
	Available Keys: %8 

Domain Controller Information:  
	msds-SupportedEncryptionTypes: %9 
	DefaultDomainSupportedEncTypes: %10 
	Available Keys: %11 

Network Information:  
	Client Address: %12 
	Client Port: %13 
	Advertized Etypes: %14 

See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.

Fields #

Name	Description
`AccountName` UnicodeString	—
`SuppliedRealm` UnicodeString	—
`AccountSET` UnicodeString	—
`AccountKeys` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceID` SID	—
`ServiceSET` UnicodeString	—
`ServiceKeys` UnicodeString	—
`DCSET` UnicodeString	—
`DDSET` UnicodeString	—
`DCKeys` UnicodeString	—
`IpAddress` UnicodeString	—
`Port` UInt16	—
`AdvertizedEtypes` UnicodeString	—

Event ID 204 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Task: KDCExtendedAudit

Description

The Key Distribution Center (KDC) blocked cipher usage because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.

Fields #

Name	Description
`AccountName` UnicodeString	—
`SuppliedRealm` UnicodeString	—
`AccountSET` UnicodeString	—
`AccountKeys` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceID` SID	—
`ServiceSET` UnicodeString	—
`ServiceKeys` UnicodeString	—
`DCSET` UnicodeString	—
`DDSET` UnicodeString	—
`DCKeys` UnicodeString	—
`IpAddress` UnicodeString	—
`Port` UInt16	—
`AdvertizedEtypes` UnicodeString	—

Event ID 204 — The Key Distribution Center (KDC) blocked cipher usage because the service msds-SupportedEncryptionTypes is not defined and the service account onl...

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: System
Task: KDCExtendedAudit

Description

The Key Distribution Center (KDC) blocked cipher usage because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.

Message #

The Key Distribution Center (KDC) blocked cipher usage because the service msds-SupportedEncryptionTypes is not defined and the service account only has insecure keys.

Account Information
	Account Name: %1
	Supplied Realm Name: %2
	msds-SupportedEncryptionTypes: %3
	Available Keys: %4

Service Information:
	Service Name: %5
	Service ID: %6
	msds-SupportedEncryptionTypes: %7
	Available Keys: %8

Domain Controller Information:
	msds-SupportedEncryptionTypes: %9
	DefaultDomainSupportedEncTypes: %10
	Available Keys: %11

Network Information:
	Client Address: %12
	Client Port: %13
	Advertized Etypes: %14

See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.

Fields #

Name	Description
`AccountName` UnicodeString	—
`SuppliedRealm` UnicodeString	—
`AccountSET` UnicodeString	—
`AccountKeys` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceID` SID	—
`ServiceSET` UnicodeString	—
`ServiceKeys` UnicodeString	—
`DCSET` UnicodeString	—
`DDSET` UnicodeString	—
`DCKeys` UnicodeString	—
`IpAddress` UnicodeString	—
`Port` UInt16	—
`AdvertizedEtypes` UnicodeString	—

Event ID 205 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Task: KDCExtendedAudit

Description

The Key Distribution Center (KDC) detected explicit insecure cipher enablement in the Default Domain Supported Encryption Types policy configuration.

Fields #

Name	Description
`CipherName` UnicodeString	—
`DDSET` UnicodeString	—

Event ID 205 — The Key Distribution Center (KDC) detected explicit insecure cipher enablement in the Default Domain Supported Encryption Types policy configuration.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: System
Task: KDCExtendedAudit

Description

The Key Distribution Center (KDC) detected explicit insecure cipher enablement in the Default Domain Supported Encryption Types policy configuration.

Message #

The Key Distribution Center (KDC) detected explicit insecure cipher enablement in the Default Domain Supported Encryption Types policy configuration.

Cipher(s): %1
DefaultDomainSupportedEncTypes: %2

See https://go.microsoft.com/fwlink/?linkid=2344614 to learn more.

Fields #

Name	Description
`CipherName` UnicodeString	—
`DDSET` UnicodeString	—

Event ID 300 — The Key Distribution Center (KDC) is being started.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Level: Informational
Task: KDC

Description

The Key Distribution Center (KDC) is being started.

Message #

The Key Distribution Center (KDC) is being started.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kerberos-Key-Distribution-Center",
    "guid": "3FD9DA1A-5A54-46C5-9A26-9BD7C0685056",
    "event_source_name": "",
    "event_id": 300,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T21:48:07.889406+00:00",
    "event_record_id": 21,
    "correlation": {},
    "execution": {
      "process_id": 936,
      "thread_id": 2856
    },
    "channel": "Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 301 — The Key Distribution Center (KDC) has stopped with error code: ErrorCode.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Task: KDC

Description

The Key Distribution Center (KDC) has stopped with error code: ErrorCode.

Message #

The Key Distribution Center (KDC) has stopped with error code: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 302 — The Key Distribution Center (KDC) uses the below KDC certificate for smart card or certificate authentication.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Level: Informational
Task: KDC

Description

The Key Distribution Center (KDC) uses the below KDC certificate for smart card or certificate authentication.

Message #

The Key Distribution Center (KDC) uses the below KDC certificate for smart card or certificate authentication.

Kdc Certificate Information:
  Issuer Name: %1
  Serial Number: %2
  Thumbprint: %3
  Template: %4

Fields #

Name	Description
`Issuer` UnicodeString	—
`SerialNumber` UnicodeString	—
`Thumbprint` UnicodeString	—
`Template` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-Kerberos-Key-Distribution-Center",
    "guid": "3FD9DA1A-5A54-46C5-9A26-9BD7C0685056",
    "event_source_name": "",
    "event_id": 302,
    "version": 0,
    "level": 4,
    "task": 1,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T20:17:39.777902+00:00",
    "event_record_id": 15,
    "correlation": {},
    "execution": {
      "process_id": 968,
      "thread_id": 9364
    },
    "channel": "Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Issuer": "EvtGen-Root-CA",
    "SerialNumber": "4A000000035FD5C8BB1377E3DC000000000003",
    "Thumbprint": "DB0FEA9B641F3814FC5168AE83EF7839AF1BB012",
    "Template": "DomainController"
  },
  "message": ""
}

Event ID 303 — A Kerberos ticket-granting-ticket (TGT) was issued for a member of the Protected User group.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: ProtectedUserSuccesses-DomainController

Description

A Kerberos ticket-granting-ticket (TGT) was issued for a member of the Protected User group.

Message #

A Kerberos ticket-granting-ticket (TGT) was issued for a member of the Protected User group.

Account Information:
	Account Name: %1
	Supplied Realm Name: %2
	User ID: %3

Authentication Policy Information:
	Silo Name: %16
	Policy Name: %17
	TGT Lifetime: %18

Device Information:
	Device Name: %4

Service Information:
	Service Name: %5
	Service ID: %6

Network Information:
	Client Address: %11
	Client Port: %12

Additional Information:
	Ticket Options: %7
	Result Code: %8
	Ticket Encryption Type: %9
	Pre-Authentication Type: %10

Certificate Information:
	Certificate Issuer Name: %13
	Certificate Serial Number: %14
	Certificate Thumbprint: %15

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetDomainName` UnicodeString	—
`TargetSid` SID	—
`DeviceName` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceSid` SID	—
`TicketOptions` HexInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`Status` HexInt32	— NTSTATUS reference
`TicketEncryptionType` HexInt32	— Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`PreAuthType` UnicodeString	— Known values `0` PA-NONE `2` PA-ENC-TIMESTAMP `11` PA-ETYPE-INFO `14` PA-PK-AS-REQ-OLD `15` PA-PK-AS-REQ `16` PA-PK-AS-REP `17` PA-ETYPE-INFO2 `19` PA-ETYPE-INFO2 `20` PA-SVR-REFERRAL-INFO `128` PA-SUPPORTED-ENCTYPES `129` PA-PAC-OPTIONS `165` PA-SPAKE
`IpAddress` UnicodeString	—
`IpPort` UnicodeString	—
`CertIssuerName` UnicodeString	—
`CertSerialNumber` UnicodeString	—
`CertThumbprint` UnicodeString	—
`SiloName` UnicodeString	—
`PolicyName` UnicodeString	—
`TGTLifetime` UInt32	—

Event ID 303 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

A Kerberos ticket-granting-ticket (TGT) was issued for a member of the Protected User group.

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetDomainName` UnicodeString	—
`TargetSid` SID	—
`DeviceName` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceSid` SID	—
`TicketOptions` HexInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`Status` HexInt32	— NTSTATUS reference
`TicketEncryptionType` HexInt32	— Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`PreAuthType` UnicodeString	— Known values `0` PA-NONE `2` PA-ENC-TIMESTAMP `11` PA-ETYPE-INFO `14` PA-PK-AS-REQ-OLD `15` PA-PK-AS-REQ `16` PA-PK-AS-REP `17` PA-ETYPE-INFO2 `19` PA-ETYPE-INFO2 `20` PA-SVR-REFERRAL-INFO `128` PA-SUPPORTED-ENCTYPES `129` PA-PAC-OPTIONS `165` PA-SPAKE
`IpAddress` UnicodeString	—
`IpPort` UnicodeString	—
`CertIssuerName` UnicodeString	—
`CertSerialNumber` UnicodeString	—
`CertThumbprint` UnicodeString	—
`SiloName` UnicodeString	—
`PolicyName` UnicodeString	—
`TGTLifetime` UInt32	—

Event ID 304 — A Kerberos service ticket was issued for a member of the Protected User group.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: ProtectedUserSuccesses-DomainController

Description

A Kerberos service ticket was issued for a member of the Protected User group.

Message #

A Kerberos service ticket was issued for a member of the Protected User group.

Account Information:
	Account Name: %1
	Account Domain: %2
	Logon GUID: %11

Authentication Policy Information:
	Silo Name: %13
	Policy Name: %14

Device Information:
	Device Name: %3

Service Information:
	Service Name: %4
	Service ID: %5

Network Information:
	Client Address: %8
	Client Port: %9

Additional Information:
	Ticket Options: %6
	Ticket Encryption Type: %7
	Failure Code: %10
	Transited Services: %12

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetDomainName` UnicodeString	—
`DeviceName` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceSid` SID	—
`TicketOptions` HexInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`TicketEncryptionType` HexInt32	— Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`IpAddress` UnicodeString	—
`IpPort` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference
`LogonGuid` GUID	—
`TransitedServices` UnicodeString	—
`SiloName` UnicodeString	—
`PolicyName` UnicodeString	—

Event ID 304 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

A Kerberos service ticket was issued for a member of the Protected User group.

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetDomainName` UnicodeString	—
`DeviceName` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceSid` SID	—
`TicketOptions` HexInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`TicketEncryptionType` HexInt32	— Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`IpAddress` UnicodeString	—
`IpPort` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference
`LogonGuid` GUID	—
`TransitedServices` UnicodeString	—
`SiloName` UnicodeString	—
`PolicyName` UnicodeString	—

Event ID 305 — A Kerberos ticket-granting-ticket (TGT) was issued, but it will be denied when Authentication Policy is enforced because the device does not meet t...

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: AuthenticationPolicyFailures-DomainController

Description

A Kerberos ticket-granting-ticket (TGT) was issued, but it will be denied when Authentication Policy is enforced because the device does not meet the access control restrictions.

Message #

A Kerberos ticket-granting-ticket (TGT) was issued, but it will be denied when Authentication Policy is enforced because the device does not meet the access control restrictions.

Account Information:
	Account Name: %1
	Supplied Realm Name: %2
	User ID: %3

Authentication Policy Information:
	Silo Name: %16
	Policy Name: %17
	TGT Lifetime: %18

Device Information:
	Device Name: %4

Service Information:
	Service Name: %5
	Service ID: %6

Network Information:
	Client Address: %11
	Client Port: %12

Additional Information:
	Ticket Options: %7
	Result Code: %8
	Ticket Encryption Type: %9
	Pre-Authentication Type: %10

Certificate Information:
	Certificate Issuer Name: %13
	Certificate Serial Number: %14
	Certificate Thumbprint: %15

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetDomainName` UnicodeString	—
`TargetSid` SID	—
`DeviceName` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceSid` SID	—
`TicketOptions` HexInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`Status` HexInt32	— NTSTATUS reference
`TicketEncryptionType` HexInt32	— Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`PreAuthType` UnicodeString	— Known values `0` PA-NONE `2` PA-ENC-TIMESTAMP `11` PA-ETYPE-INFO `14` PA-PK-AS-REQ-OLD `15` PA-PK-AS-REQ `16` PA-PK-AS-REP `17` PA-ETYPE-INFO2 `19` PA-ETYPE-INFO2 `20` PA-SVR-REFERRAL-INFO `128` PA-SUPPORTED-ENCTYPES `129` PA-PAC-OPTIONS `165` PA-SPAKE
`IpAddress` UnicodeString	—
`IpPort` UnicodeString	—
`CertIssuerName` UnicodeString	—
`CertSerialNumber` UnicodeString	—
`CertThumbprint` UnicodeString	—
`SiloName` UnicodeString	—
`PolicyName` UnicodeString	—
`TGTLifetime` UInt32	—

Event ID 305 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

A Kerberos ticket-granting-ticket (TGT) was issued, but it will be denied when Authentication Policy is enforced because the device does not meet the access control restrictions.

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetDomainName` UnicodeString	—
`TargetSid` SID	—
`DeviceName` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceSid` SID	—
`TicketOptions` HexInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`Status` HexInt32	— NTSTATUS reference
`TicketEncryptionType` HexInt32	— Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`PreAuthType` UnicodeString	— Known values `0` PA-NONE `2` PA-ENC-TIMESTAMP `11` PA-ETYPE-INFO `14` PA-PK-AS-REQ-OLD `15` PA-PK-AS-REQ `16` PA-PK-AS-REP `17` PA-ETYPE-INFO2 `19` PA-ETYPE-INFO2 `20` PA-SVR-REFERRAL-INFO `128` PA-SUPPORTED-ENCTYPES `129` PA-PAC-OPTIONS `165` PA-SPAKE
`IpAddress` UnicodeString	—
`IpPort` UnicodeString	—
`CertIssuerName` UnicodeString	—
`CertSerialNumber` UnicodeString	—
`CertThumbprint` UnicodeString	—
`SiloName` UnicodeString	—
`PolicyName` UnicodeString	—
`TGTLifetime` UInt32	—

Event ID 306 — A Kerberos service ticket was issued, but it will be denied when Authentication Policy is enforced for a member of the Protected User group because...

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: AuthenticationPolicyFailures-DomainController

Message #

A Kerberos service ticket was issued, but it will be denied when Authentication Policy is enforced for a member of the Protected User group because the user, device, or both does not meet the access control restrictions.

Account Information:
	Account Name: %1
	Account Domain: %2
	Logon GUID: %11

Authentication Policy Information:
	Silo Name: %13
	Policy Name: %14

Device Information:
	Device Name: %3

Service Information:
	Service Name: %4
	Service ID: %5

Network Information:
	Client Address: %8
	Client Port: %9

Additional Information:
	Ticket Options: %6
	Ticket Encryption Type: %7
	Failure Code: %10
	Transited Services: %12

This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetDomainName` UnicodeString	—
`DeviceName` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceSid` SID	—
`TicketOptions` HexInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`TicketEncryptionType` HexInt32	— Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`IpAddress` UnicodeString	—
`IpPort` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference
`LogonGuid` GUID	—
`TransitedServices` UnicodeString	—
`SiloName` UnicodeString	—
`PolicyName` UnicodeString	—

Event ID 306 —

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetDomainName` UnicodeString	—
`DeviceName` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceSid` SID	—
`TicketOptions` HexInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`TicketEncryptionType` HexInt32	— Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`IpAddress` UnicodeString	—
`IpPort` UnicodeString	—
`Status` HexInt32	— NTSTATUS reference
`LogonGuid` GUID	—
`TransitedServices` UnicodeString	—
`SiloName` UnicodeString	—
`PolicyName` UnicodeString	—

Event ID 307 — The Key Distribution Center (KDC) used the PKINIT protocol with encryption mode for the client ClientName.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The Key Distribution Center (KDC) used the PKINIT protocol with encryption mode for the client ClientName.

Message #

The Key Distribution Center (KDC) used the PKINIT protocol with encryption mode for the client %1.

Fields #

Name	Description
`ClientName` UnicodeString	—

Event ID 308 — The Key Distribution Center (KDC) is unable to use the PKINIT protocol because the client ClientName requested encryption mode and the KDC does not support...

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The Key Distribution Center (KDC) is unable to use the PKINIT protocol because the client ClientName requested encryption mode and the KDC does not support it.

Message #

The Key Distribution Center (KDC) is unable to use the PKINIT protocol because the client %1 requested encryption mode and the KDC does not support it.

Fields #

Name	Description
`ClientName` UnicodeString	—

Event ID 309 — The kerberos client used a hash algorithm for the PKINIT protocol that is being audited: Algorithm.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The kerberos client used a hash algorithm for the PKINIT protocol that is being audited: Algorithm.

Message #

The kerberos client used a hash algorithm for the PKINIT protocol that is being audited: %1.

Fields #

Name	Description
`Algorithm` UnicodeString	—

Event ID 310 — The kerberos client used a hash algorithm for the PKINIT protocol that is not suppported: Algorithm.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The kerberos client used a hash algorithm for the PKINIT protocol that is not suppported: Algorithm.

Message #

The kerberos client used a hash algorithm for the PKINIT protocol that is not suppported: %1.

Fields #

Name	Description
`Algorithm` UnicodeString	—

Event ID 311 — The Kerberos client did not supply a supported encryption type for use with the PKINIT protocol using encryption mode.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The Kerberos client did not supply a supported encryption type for use with the PKINIT protocol using encryption mode.

Message #

The Kerberos client did not supply a supported encryption type for use with the PKINIT protocol using encryption mode.
 Client Principal Name: %1
 Client IP Address: %2
 Client Supplied NetBIOS Name: %3

Fields #

Name	Description
`ClientName` UnicodeString	—
`IPAddress` UnicodeString	—
`ClientNetBIOSName` UnicodeString	—

Event ID 312 — The Key Distribution Center (KDC) has an invalid hash algorithm configuration for PKINIT.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The Key Distribution Center (KDC) has an invalid hash algorithm configuration for PKINIT. This might result in PKINIT failures.

Message #

The Key Distribution Center (KDC) has an invalid hash algorithm configuration for PKINIT. This might result in PKINIT failures.

Event ID 313 — The Key Distribution Center (KDC) encountered invalid certificate strong name match policy.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The Key Distribution Center (KDC) encountered invalid certificate strong name match policy.

Message #

The Key Distribution Center (KDC) encountered invalid certificate strong name match policy.

 Faulting line: %1

Fields #

Name	Description
`EntryNumber` UInt32	—

Event ID 314 — An unauthorized Kerberos client attempted to fetch DMSA keys.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

An unauthorized Kerberos client attempted to fetch DMSA keys.

Message #

An unauthorized Kerberos client attempted to fetch DMSA keys.

Error code: %1
Machine: %2
DMSA: %3
Migration State: %4

Fields #

Name	Description
`KerbErr` HexInt32	—
`Machine` UnicodeString	—
`DMSA` UnicodeString	—
`MigrationState` UInt32	—

Event ID 315 — A Kerberos client attempted to fetch DMSA keys.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

A Kerberos client attempted to fetch DMSA keys.

Message #

A Kerberos client attempted to fetch DMSA keys.

DMSA: %1
Machine: %2
Error Code: %3

Fields #

Name	Description
`DMSA` UnicodeString	—
`Machine` UnicodeString	—
`KerbErr` HexInt32	—

Event ID 400 — A Kerberos authentication ticket (TGT) was requested.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Task: KDCExtendedAudit

Description

A Kerberos authentication ticket (TGT) was requested.

Message #

A Kerberos authentication ticket (TGT) was requested.

Account Information:
	Account Name: %1
	Supplied Realm Name: %2
	User ID: %3

Service Information:
	Service Name: %4
	Service ID: %5

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetDomainName` UnicodeString	—
`TargetSid` SID	—
`ServiceName` UnicodeString	—
`ServiceSid` SID	—
`TicketOptions` UInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`Status` UInt32	— NTSTATUS reference
`TicketEncryptionType` UInt32	— Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`PreAuthType` UInt32	— Known values `0` PA-NONE `2` PA-ENC-TIMESTAMP `11` PA-ETYPE-INFO `14` PA-PK-AS-REQ-OLD `15` PA-PK-AS-REQ `16` PA-PK-AS-REP `17` PA-ETYPE-INFO2 `19` PA-ETYPE-INFO2 `20` PA-SVR-REFERRAL-INFO `128` PA-SUPPORTED-ENCTYPES `129` PA-PAC-OPTIONS `165` PA-SPAKE
`IpAddressLength` UInt32	—
`IpAddress` Binary	—
`CertIssuerName` UnicodeString	—
`CertSerialNumber` UnicodeString	—
`CertThumbprint` UnicodeString	—
`ResponseTicket` UnicodeString	—
`ClientNetbiosName` UnicodeString	—
`ResponseExtendedNtStatusCode` UInt32	—
`ResponseTicketLength` UInt32	—
`ResponseTicketStartTime` FILETIME	—
`ResponseTicketEndTime` FILETIME	—
`RequestSupportedEncryptionTypes` UnicodeString	—
`RequestFullServiceName` UnicodeString	—
`RequestFullServiceNameType` UInt32	—
`RequestClientName` UnicodeString	—
`RequestClientNameType` UInt32	—
`RequestRealm` UnicodeString	—
`ResponseTicketFullServiceName` UnicodeString	—
`ResponseTicketFullServiceNameType` UInt32	—
`ResponseTicketRealm` UnicodeString	—
`ResponseTicketKeyVersion` UInt32	—
`ResponseEncryptedDataEncryptionType` UInt32	—
`ArmorKeyEncryptionType` UInt32	—
`ClientPreAuthEncryptionType` UInt32	—
`PacRequestType` UInt32	—
`CertNotBefore` FILETIME	—
`CertNotAfter` FILETIME	—
`CertSubjectName` UnicodeString	—
`PreAuthNonce` UInt32	—
`LogonStatus` UInt32	—
`PreAuthSupportedEncryptionTypes` UnicodeString	—
`ClientCertificateContextLength` UInt32	—
`ClientCertificateContext` Binary	—
`UsedOldPassword` Boolean	—
`UserObjectGuid` GUID	—

Event ID 401 — A Kerberos service ticket was requested.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational
Task: KDCExtendedAudit

Description

A Kerberos service ticket was requested.

Message #

A Kerberos service ticket was requested.

Account Information:
	Account Name: %1
	Account Domain: %2
	Logon GUID: %10

Service Information:
	Service Name: %3
	Service ID: %4

Fields #

Name	Description
`TargetUserName` UnicodeString	—
`TargetDomainName` UnicodeString	—
`ServiceName` UnicodeString	—
`ServiceSid` SID	—
`TicketOptions` UInt32	— Bitmask flags `0x40000000` Forwardable `0x20000000` Forwarded `0x10000000` Proxiable `0x08000000` Proxy `0x04000000` Allow-postdate `0x02000000` Postdated `0x01000000` Renewable `0x00800000` Opt-hardware-auth `0x00400000` Canonicalize `0x00000010` Renewable-ok `0x00000008` Enc-tkt-in-skey `0x00000002` Renew `0x00000001` Validate
`TicketEncryptionType` UInt32	— Known values `0x1` DES-CBC-CRC `0x3` DES-CBC-MD5 `0x11` AES128-CTS-HMAC-SHA1-96 `0x12` AES256-CTS-HMAC-SHA1-96 `0x17` RC4-HMAC `0x18` RC4-HMAC-EXP `0xFFFFFFFF` Unspecified
`IpAddressLength` UInt32	—
`IpAddress` Binary	—
`Status` UInt32	— NTSTATUS reference
`LogonGuid` GUID	—
`TransmittedServices` UnicodeString	—
`RequestTicketHash` UnicodeString	—
`ResponseTicketHash` UnicodeString	—
`ClientNetbiosName` UnicodeString	—
`ResponseExtendedNtStatusCode` UInt32	—
`PacOptions` UInt32	—
`RequestTicketLength` UInt32	—
`ResponseTicketLength` UInt32	—
`RequestTicketAuthTime` FILETIME	—
`RequestTicketFlags` UInt32	—
`RequestTicketRenewUntil` FILETIME	—
`RequestTicketStartTime` FILETIME	—
`RequestTicketEndTime` FILETIME	—
`ResponseTicketStartTime` FILETIME	—
`ResponseTicketEndTime` FILETIME	—
`RequestSupportedEncryptionTypes` UnicodeString	—
`RequestAuthDataEncryptionType` UInt32	—
`RequestAuthDataLength` UInt32	—
`RequestNonce` UInt32	—
`RequestFullServiceName` UnicodeString	—
`RequestFullServiceNameType` UInt32	—
`RequestRealm` UnicodeString	—
`RequestTicketFullServiceName` UnicodeString	—
`RequestTicketFullServiceNameType` UInt32	—
`RequestTicketRealm` UnicodeString	—
`RequestTicketClientName` UnicodeString	—
`RequestTicketClientNameType` UInt32	—
`RequestTicketClientRealm` UnicodeString	—
`ResponseTicketFullServiceName` UnicodeString	—
`ResponseTicketFullServiceNameType` UInt32	—
`ResponseTicketRealm` UnicodeString	—
`RequestTicketKeyVersion` UInt32	—
`ResponseTicketKeyVersion` UInt32	—
`RequestTicketEncryptionType` UInt32	—
`ArmorKeyEncryptionType` UInt32	—
`U2UTgtAccountName` UnicodeString	—
`U2UTgtCRealm` UnicodeString	—
`U2UTgtCName` UnicodeString	—
`U2UTicketLength` UInt32	—
`U2UTicketEncryptionType` UInt32	—
`U2UTicketHash` UnicodeString	—
`U2UTicketKeyVersion` UInt32	—
`U2UTicketFullServiceName` UnicodeString	—
`U2UTicketFullServiceNameType` UInt32	—
`S4UAccountName` UnicodeString	—
`S4UPACClientName` UnicodeString	—
`S4UPACClientRealm` UnicodeString	—
`S4UTargetName` UnicodeString	—
`S4UNonce` UInt32	—
`S4URequestorSid` SID	—
`S4UAdditionalTicketKeyVersion` UInt32	—
`S4URequestorServiceName` UnicodeString	—
`S4URequestorServiceRealm` UnicodeString	—
`S4UAdditionalTicketLength` UInt32	—
`S4UAdditionalTicketEncryptionType` UInt32	—
`S4UAdditionalTicketHash` UnicodeString	—
`S4UAdditionalTicketFullServiceName` UnicodeString	—
`S4UAdditionalTicketFullServiceNameType` UInt32	—
`ServiceObjectGuid` GUID	—
`RequestTicketPacLogonInfoLength` UInt32	—
`RequestTicketPacLogonInfo` Binary	—
`RequestTicketPacUpnDnsInfoLength` UInt32	—
`RequestTicketPacUpnDnsInfo` Binary	—
`RequestTicketPacRequestorSid` SID	—
`RequestTicketPacLogonServer` UnicodeString	—
`RequestTicketPacLogonDomainName` UnicodeString	—
`RequestTicketPacFullName` UnicodeString	—
`RequestTicketPacHomeDirectory` UnicodeString	—
`RequestTicketPacGroupIds` UnicodeString	—
`RequestTicketPacUserId` UInt32	—
`RequestTicketPacPrimaryGroupId` UInt32	—
`RequestTicketPacGroupCount` UInt32	—
`RequestTicketPacBadPasswordCount` UInt32	—
`RequestTicketPacLogonCount` UInt32	—
`RequestTicketPacUserAccountControlFlags` UInt32	—
`RequestTicketPacUserFlags` UInt32	—
`RequestTicketPacLogonTime` FILETIME	—
`RequestTicketPacLogoffTime` FILETIME	—
`RequestTicketPacKickOffTime` FILETIME	—
`RequestTicketPacPasswordLastSet` FILETIME	—
`RequestTicketPacLastSuccessfulLogon` FILETIME	—
`RequestTicketPacLastFailedLogon` FILETIME	—
`RequestTicketPacFailedAttemptCountSinceSuccessfulLogon` UInt32	—

Event ID 2147483651 — Could not find principal %1.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

Could not find principal.

Message #

Could not find principal %1

Event ID 2147483652 — Domain %1 propagated to us but did not authenticate.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

Domain propagated to us but did not authenticate.

Message #

Domain %1 propagated to us but did not authenticate.

Event ID 2147483660 — A request failed from client realm %1 for a ticket in realm %2.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

A request failed from client realm for a ticket in realm . This failed because a trust link between the realms is non transitive.

Message #

A request failed from client realm %1 for a ticket in realm %2. This failed because a trust link between the realms is non transitive.

Event ID 2147483667 — This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable ...

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.

Message #

This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate.

Event ID 2147483668 — The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public key infrastructure. The chain status is in the error data.

Event ID 2147483669 — The client certificate for the user %1\%2 is not valid, and resulted in a failed smartcard logon.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The client certificate for the user %1\%2 is not valid, and resulted in a failed smartcard logon. Please contact the user for more information about the certificate they're attempting to use for smartcard logon. The chain status was : %3

Event ID 2147483670 — The KDC encountered a trust loop when building a list of trusted domains.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The KDC encountered a trust loop when building a list of trusted domains. This indicates that the route to the domain from this KDC has more than one possible trust path.

Message #

The KDC encountered a trust loop when building a list of trusted domains. This indicates that the route to the domain %1 from this KDC has more than one possible trust path.

Event ID 2147483671 — The KDC received invalid messages of type %1.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The KDC received invalid messages of type .

Message #

The KDC received invalid messages of type %1.

Event ID 2147483672 — A service ticket request by client %1 for %2 was rejected because User2User was required.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

A service ticket request by client %1 for %2 was rejected because User2User was required. The KDC responds with this error when a client requests a service ticket for a user principal (a security risk). The client must support User2User in order to obtain a service ticket for the requested service principal

Event ID 2147483673 — The account %1 from domain %2 is attempting to use S4USelf for the target client %3, but is not allowed to perform group expansion on this client's...

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The account %1 from domain %2 is attempting to use S4USelf for the target client %3, but is not allowed to perform group expansion on this client's user object. It may be necessary to adjust the ACL on the TokenGroupsGlobalAndUniversal attribute on the target client's user object to allow S4USelf to function correctly. This can also be accomplished by adding %1 to the Windows Authorization Access Group.

Event ID 2147483676 — When generating a cross realm referral from domain %1 the KDC was not able to find the suitable key to verify the ticket.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

When generating a cross realm referral from domain %1 the KDC was not able to find the suitable key to verify the ticket. The ticket key version in the request was %2 and the available key version was %3. This most common reason for this error is a delay in replicating the keys. In order to remove this problem try forcing replication or wait for the replication of keys to occur.

Event ID 2147483677 — The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

Event ID 2147483678 — The Kerberos Key Distribution Center failed to locate the forest or domain %1 to search.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The Kerberos Key Distribution Center failed to locate the forest or domain %1 to search.  Please ensure that the forest search order policy is correctly configured, and that this forest or domain is available.

Event ID 2147483679 — A ticket to the service %2 is issued for account %1.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

A ticket to the service %2 is issued for account %1. The size of the encrypted part of this ticket is %3 bytes, which is close or greater than the configured ticket size threshold (%4 bytes). This ticket or any additional tickets issued from this ticket might result in authentication failures if the client or server application allocates SSPI token buffers bounded by a value that is close to the threshold value.
The size of ticket is largely determined by the size of authorization data it carries. The size of authorization data is determined by the groups the account is member of, the claims data the account is setup for, and the resource groups resolved in the resource domain.

Event ID 2147483680 — The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device ce...

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The Key Distribution Center (KDC) uses a certificate without KDC Extended Key Usage (EKU) which can result in authentication failures for device certificate logon and smart card logon from non-domain-joined devices. Enrollment of a KDC certificate with KDC EKU (Kerberos Authentication template) is required to remove this warning.

Event ID 2147483681 — The Key Distribution Center (KDC) encountered failures when updating the krbtgt account for the Dynamic Access Control and Kerberos armoring policy...

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The Key Distribution Center (KDC) encountered failures when updating the krbtgt account for the Dynamic Access Control and Kerberos armoring policy capability for the domain. This update was performed so that all the domain controllers including read-only domain controllers (RODCs) in this domain could advertise support for Dynamic Access Control and Kerberos armoring. This failure indicates that there could be domain controllers that have not received updated krbtgt account values. If the update to the krbtgt account is in transit, then you can run Gpupdate /force as a possible workaround to this failure. More information about this update:

  Object Rid: %1
  Update bits: %2
  Bitmask: %3
  Error Code: %4

Event ID 2147483682 — The Key Distribution Center (KDC) has the Dynamic Access Control and Kerberos armoring policy configured for a level which requires a higher domain...

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The Key Distribution Center (KDC) has the Dynamic Access Control and Kerberos armoring policy configured for a level which requires a higher domain functional level. Until the domain functional level is raised, the KDC will only support the level configured as Supported.

Event ID 2147483683 — The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) from another KDC that did not contain a PAC attributes field.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) from another KDC (%1) that did not contain a PAC attributes field. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

Event ID 2147483684 — The Key Distribution Center (KDC) encountered a ticket that did not contain a PAC while processing a request for another ticket.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The Key Distribution Center (KDC) encountered a ticket that did not contain a PAC while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

  Client: %1\\%2
  Ticket for: %3

Event ID 2147483685 — The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processin...

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The Key Distribution Center (KDC) encountered a ticket that did not contain information about the account that requested the ticket while processing a request for another ticket. This prevented security checks from running and could open security vulnerabilities. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

  Ticket PAC constructed by: %1
  Client: %2\\%3
  Ticket for: %4

Event ID 2147483686 — The Key Distribution Center (KDC) encountered a ticket that contained inconsistent information about the account that requested the ticket.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The Key Distribution Center (KDC) encountered a ticket that contained inconsistent information about the account that requested the ticket. This could mean that the account has been renamed since the ticket was issued, which may have been part of an attempted exploit. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.

  Ticket PAC constructed by: %1
  Client: %2\\%3
  Ticket for: %4
  Requesting Account SID from Active Directory: %5
  Requesting Account SID from Ticket: %6

Event ID 2147483687 — The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). Such certificates should either be replaced or mapped directly to the user via explicit mapping. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more.

  User: %1
  Certificate Subject: %2
  Certificate Issuer: %3
  Certificate Serial Number: %4
  Certificate Thumbprint: %5
  Certificate Issuance Policies: %6

Event ID 2147483688 — The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The Key Distribution Center (KDC) encountered a user certificate that was valid but could not be mapped to a user in a secure way (such as via explicit mapping, key trust mapping, or a SID). The certificate also predated the user it mapped to, so it was rejected. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more.

  User: %1
  Certificate Subject: %2
  Certificate Issuer: %3
  Certificate Serial Number: %4
  Certificate Thumbprint: %5
  Certificate Issuance Policies: %6
  Certificate Issuance Time: %7
  Account Creation Time: %8

Event ID 2147483689 — The Key Distribution Center (KDC) encountered a user certificate that was valid but contained a different SID than the user to which it mapped.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The Key Distribution Center (KDC) encountered a user certificate that was valid but contained a different SID than the user to which it mapped. As a result, the request involving the certificate failed. See https://go.microsoft.com/fwlink/?linkid=2189925 to learn more.

  User: %1
 User SID: %2
 Certificate Subject: %3
  Certificate Issuer: %4
  Certificate Serial Number: %5
  Certificate Thumbprint: %6
  Certificate Issuance Policies: %7
  Certificate SID: %8

Event ID 2147483690 — The Kerberos Key Distribution Center lacks strong keys for account %1.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The Kerberos Key Distribution Center lacks strong keys for account .

Message #

The Kerberos Key Distribution Center lacks strong keys for account %1.

You must update the password of this account to prevent use of insecure cryptography. 

See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

Event ID 2147483691 — The Key Distribution Center (KDC) encountered a ticket that it could not validate the full PAC Signature.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The Key Distribution Center (KDC) encountered a ticket that it could not validate the full PAC Signature. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

Message #

The Key Distribution Center (KDC) encountered a ticket that it could not validate the full PAC Signature. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

  Client: %1\\%2

Event ID 2147483692 — The Key Distribution Center (KDC) encountered a ticket that did not contained the full PAC Signature.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The Key Distribution Center (KDC) encountered a ticket that did not contained the full PAC Signature. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

Message #

The Key Distribution Center (KDC) encountered a ticket that did not contained the full PAC Signature. See https://go.microsoft.com/fwlink/?linkid=2210019 to learn more.

  Client: %1\\%2

Event ID 2147483693 — The Key Distribution Center (KDC) encountered a client certificate that was valid but did not chain to a root in the NTAuth store.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The Key Distribution Center (KDC) encountered a client certificate that was valid but did not chain to a root in the NTAuth store. Support for certificates that do not chain to the NTAuth store is deprecated. See https://go.microsoft.com/fwlink/?linkid=2300705 to learn more.

  User: %1
  Certificate Subject: %2
  Certificate Issuer: %3
  Certificate Serial Number: %4
  Certificate Thumbprint: %5

Event ID 3221225477 — The KDC failed to update policy class %1.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The KDC failed to update policy class . The error is in the data.

Message #

The KDC failed to update policy class %1. The error is in the data.

Event ID 3221225478 — The KDC failed to update the trusted domain list.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The KDC failed to update the trusted domain list. The error is in the data.

Message #

The KDC failed to update the trusted domain list. The error is in the data.

Event ID 3221225479 — The Security Account Manager failed a KDC request in an unexpected way.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was and lookup type .

Message #

The Security Account Manager failed a KDC request in an unexpected way. The error is in the data field. The account name was %1 and lookup type %2.

Event ID 3221225480 — The account %1 did not have a suitable key for generating a Kerberos ticket.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The account %1 did not have a suitable key for generating a Kerberos ticket. If the encryption type is supported, changing or setting the password will generate a proper key.  The missing key type may be in the data field.

Event ID 3221225482 — The attempt to change the password on the KRBTGT account failed.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The attempt to change the password on the KRBTGT account failed. The error code is in the data field.

Message #

The attempt to change the password on the KRBTGT account failed. The error code is in the data field

Event ID 3221225483 — The KDC encountered duplicate names while processing a Kerberos authentication request.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is %1 (of type %2). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occurring remove the duplicate entries for %1 in Active Directory.

Event ID 3221225485 — The account for %1 has corrupt keys stored in the DS.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

The account for has corrupt keys stored in the DS. Changing or setting the password should restore correct keys.

Message #

The account for %1 has corrupt keys stored in the DS. Changing or setting the password should restore correct keys.

Event ID 3221225486 — While processing an AS request for target service %1, the account %2 did not have a suitable key for generating a Kerberos ticket.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

While processing an AS request for target service %1, the account %2 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of %3). The requested etypes : %4. The accounts available etypes : %5. Changing or resetting the password of %6 will generate a proper key.

Event ID 3221225487 — The request for an AS ticket for client %1 was forwarded to the PDC.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

The request for an AS ticket for client %1 was forwarded to the PDC. An invalid response to this forwarded request was detected and could indicate an attempt to spoof your PDC. There may be additional information in the data field.

Event ID 3221225488 — While processing a TGS request for the target server %1, the account %2 did not have a suitable key for generating a Kerberos ticket.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

While processing a TGS request for the target server %1, the account %2 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of %3). The requested etypes were %4. The accounts available etypes were %5. Changing or resetting the password of %6 will generate a proper key.

Event ID 3221225489 — When updating policy class %1, the KDC encountered invalid policy data and has failed to update the policy.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

When updating policy class , the KDC encountered invalid policy data and has failed to update the policy.

Message #

When updating policy class %1, the KDC encountered invalid policy data and has failed to update the policy.

Event ID 3221225490 — During TGS processing, the KDC was unable to verify the signature on the PAC from %1.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Description

During TGS processing, the KDC was unable to verify the signature on the PAC from . This indicates the PAC was modified.

Message #

During TGS processing, the KDC was unable to verify the signature on the PAC from %1. This indicates the PAC was modified.

Event ID 3221225498 — While processing an AS request for target service %1, the account %2 did not have a suitable key for generating a Kerberos ticket.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

While processing an AS request for target service %1, the account %2 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of %3). The requested etypes were %4. The accounts available etypes were %5.

Event ID 3221225499 — While processing a TGS request for the target server %1, the account %2 did not have a suitable key for generating a Kerberos ticket.

Provider: Microsoft-Windows-Kerberos-Key-Distribution-Center
Channel: Operational

Message #

While processing a TGS request for the target server %1, the account %2 did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of %3). The requested etypes were %4. The accounts available etypes were %5.