Hi Everybody,
Since we enabled failure audit logging on the domain controller, we've had a lot of the following failures logged:
------------------------------------------------------------------------------------------
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 12/23/2012 3:29:01 PM
Event ID: 4769
Task Category: Kerberos Service Ticket Operations
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SERVER1.DOMAIN.local
Description:
A Kerberos service ticket was requested.
Account Information:
Account Name:
Account Domain:
Logon GUID: {00000000-0000-0000-0000-000000000000}
Service Information:
Service Name:
Service ID: NULL SID
Network Information:
Client Address: ::ffff:10.8.0.157
Client Port: 49266
Additional Information:
Ticket Options: 0x2
Ticket Encryption Type: 0xffffffff
Failure Code: 0x20
Transited Services: -
-----------------------------------------------------------------------------
'Failure code: 0x20', means 'Ticket expired'
I've done some research and found a bunch of articles saying that it is safe to ignore this audit failure as it's just a notification and is supposed to be by design.... My point is that we don't have these kind of errors on other domain controllers, only on this one, which tells me that it's not really true. If it was 'by design', we would have similar events on other domain controllers.
Something must be different in this particular environment from the rest.
BTW it is the only (as far as I remember) domain with 2008R2 functional level. I found one article suggesting that it's because of the lower domain functional level which turned out to be not the case.
P.S. the domain controller has Win 2008R2, clients are mixed: XP, 7, some Vistas
Please advise
Thank you