What is event ID 4776?
Introduction Event ID 4776 is logged whenever a domain controller (DC) attempts to validate the credentials of an account using NTLM over Kerberos. This event is also logged for logon attempts to the local SAM account in workstations and Windows servers, as NTLM is the default authentication mechanism for local logon.
Why monitor NTLM event ID 4776?
Reasons to monitor event ID 4776 • NTLM should only be used for local logon attempts. You should monitor event ID 4776 to list all NTLM authentication attempts in your domain and pay close attention to events generated by accounts that should never use NTLM for authentication.
What is an event identifier?
Event identifiers uniquely identify a particular event. Each event source can define its own numbered events and the description strings to which they are mapped in its message file. Event viewers can present these strings to the user. They should help the user understand what went wrong and suggest what actions to take.
What is the result code for the NTLM authentication event?
This event is also logged for logon attempts to the local SAM account in workstations and Windows servers, as NTLM is the default authentication mechanism for local logon. If the credentials were successfully validated, the authenticating computer logs this event ID with the Result Code field equal to “0x0”.
What does event ID 16645 mean?
Event ID: 16645 Description: The maximum account identifier allocated to this domain controller has been assigned. The domain controller has failed to obtain a new identifier pool. A possible reason for this is that the domain controller has been unable to contact the master domain controller.
What is the legacy Windows Event ID?
The “Legacy Windows Event ID” column lists the corresponding event ID in legacy versions of Windows such as client computers running Windows XP or earlier and servers running Windows Server 2003 or earlier.
What is event ID 15021?
Event ID 15021: HTTPEvent An error occurred while using SSL configuration endpoint For all version of outlook getting error. Event ID 15021: HTTPEvent An error occurred while using SSL configuration endpoint For all version of outlook getting error.
Which event cannot occur in event “4768”?
A Kerberos authentication ticket (TGT) was requested”. It occurs in “ 4771. Kerberos pre-authentication failed” event. The wrong password was provided. This error code cannot occur in event “ 4768. A Kerberos authentication ticket (TGT) was requested”. It occurs in “ 4771. Kerberos pre-authentication failed” event.
How to find the source workstation address of a 4776 event?
Through the 4776 event log, we can obtain the source workstation address, log in to the computer and refer to the below steps to check: For any question, please feel free to contact us. If the Answer is helpful, please click “Accept Answer” and upvote it.
How often does Windows notify when a 4776 event is generated?
For example, Windows can send you an email every time event ID 4776 is generated, but it will not be able to only notify you on attempts from unauthorized endpoints, attempts occurring outside business hours, or attempts from expired, disabled, or locked accounts.