We are collecting all end point logs(end user computer) and domain controller logs to SIEM and I alway see active users shown as disabled. Please find the one of the log entry(masked the important fields for security reasons).
{ "timestamp": "", "destination_asset": "unknown", "source_asset_address": "10.x.x.x", "destination_asset_address": "10.x.x.x", "destination_account": "xxxxx", "destination_domain": "xyz.abc", "result": "FAILED_ACCOUNT_DISABLED", "service": "krbtgt/xxxxx", "source_data": "{\"eventCode\":4768,\"computerName\":\"xxxx.xxxx.xxxx\",\"insertionStrings\":[\"xxxx\",\"xxxx.xxxx\",\"S-1-0-0\",\"krbtgt/xxxxx\",\"S-1-0-0\",\"0x40810010\",\"0x12\",\"0xffffffff\",\"-\",\"::ffff:10.xxx.xxx.xxx\",\"55709\",\"\",\"\",\"\"],\"timeGenerated\":\"\"}" }
Anybody have any idea why this error message is thrown?
Looked at microsoft blogs and found below info. Blog says this is not an kerberos error but never mentioned whether is an error or not
https://blogs.technet.microsoft.com/askds/2008/03/06/kerberos-for-the-busy-admin/
Note: I would caution you on enabling this feature. There are some events that you will see that are really not Kerberos errors – such as 0x12 KDC_ERR_CLIENT_REVOKED, 0xD KDC_ERR_BADOPTION, or 0x34 KRB_ERR_RESPONSE_TOO_BIG. We have had cases where the customer enabled this from a previous case and never turned it back off. Since they were now sensitive to all Kerberos errors they have opened up a new case just to be asked to turn off the logging because the events were not really errors.
User contributions licensed under CC BY-SA 3.0