Event ID 4777 — The domain controller failed to validate the credentials for an account.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Account Logon → Credential Validation
Collection Priority: Recommended (Palantir, others)
Opcode: Info

Description

The domain controller failed to validate the credentials for an account.

Message #

The domain controller failed to validate the credentials for an account.

Authentication Package: %1
Logon Account: %2
Source Workstation: %3
Error Code: %4

Fields #

Name	Description
`Authentication_Package` UnicodeString	—
`Logon_Account` UnicodeString	—
`Source_Workstation` UnicodeString	—
`Error_Code` UnicodeString	—
`ClientUserName` UnicodeString	Authentication Package
`TargetUserName` UnicodeString	Logon Account
`Workstation` UnicodeString	Source Workstation
`Status` UnicodeString	Error Code NTSTATUS reference

Community Notes #

Logged when NTLM credential validation fails. Pair with 4776 (which logs both successes and failures).

The Status field is an NTSTATUS code — see Event 4776 for the full code table.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4777
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-credential-validation
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4777