Windows Event ID 4771: Kerberos pre-authentication failed
Event ID 4771 records a Kerberos pre-authentication failure on a domain controller.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-11
Trigger Scenarios
The KDC generates the event when a client cannot satisfy Kerberos pre-authentication.
Key Fields
Failure Code
0x18 is KDC_ERR_PREAUTH_FAILED, normally a bad password; 0x12 is KDC_ERR_CLIENT_REVOKED for disabled or locked accounts.
Pre-Authentication Type
2 commonly represents encrypted timestamp pre-authentication; compare deviations with client configuration.
Client Address
The source IP used to group attempts and identify the originating device.
Common False Positives
- Stale credentials in services and mobile devices are common.
- Users entering old passwords after rotation create 0x18 failures.
Related Events
MITRE ATT&CK Mapping
- T1110.003Brute Force: Password Spraying
Detection Notes
T1110.003 password spraying appears as Failure Code 0x18 against many accounts from one Client Address while avoiding lockout thresholds. One account receiving 0x18 from many sources instead suggests guessing or stale credentials. Alert on breadth, then correlate 4768 success and 4624 after the failure burst.
SecurityEvent
| where EventID == 4771 and Status == "0x18"
| summarize Accounts=dcount(TargetAccount), Attempts=count() by IpAddress, bin(TimeGenerated, 15m)
| where Accounts > 10index=wineventlog EventCode=4771 Failure_Code=0x18 | stats dc(Account_Name) as accounts count by Client_AddressAccount Name: [email protected]
Client Address: 10.x.x.x
Failure Code: 0x18
Pre-Authentication Type: 2