Windows Event ID 4768: A Kerberos authentication ticket (TGT) was requested
Event ID 4768 records a Kerberos ticket-granting ticket (TGT) request handled by a domain controller. Its Pre-Authentication Type is the primary log-based signal for AS-REP Roasting.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-11
Trigger Scenarios
A domain controller logs the event on every TGT request, whether it succeeds, fails pre-authentication, or is rejected for policy reasons such as an unknown principal or disabled account.
Key Fields
Pre-Authentication Type
A value of 0 means the KDC issued a TGT without encrypted-timestamp pre-authentication. This occurs only when the account has the 'Do not require Kerberos preauthentication' flag and is the exact condition AS-REP Roasting uses.
Ticket Encryption Type
0x11 and 0x12 are AES128 and AES256; 0x17 is RC4-HMAC; 0x1 and 0x3 are legacy DES. RC4 is cheaper to crack offline, while DES should not appear in a hardened domain.
Account Name
The principal requesting the TGT. Compare privileged, service, and dormant accounts with the reviewed preauthentication-exception list.
Failure Code
0x6 (KDC_ERR_C_PRINCIPAL_UNKNOWN) against many accounts from one source indicates username enumeration or a password-spray precursor.
Common False Positives
- A small, documented set of legacy service accounts can have preauthentication disabled for compatibility.
- Normal workstation logons and service restarts generate high volumes of fully pre-authenticated 4768 events.
- VPN reconnects and expired cached tickets can create expected bursts.
Related Events
MITRE ATT&CK Mapping
- T1558.004Steal or Forge Kerberos Tickets: AS-REP Roasting
- T1110.003Brute Force: Password Spraying
Detection Notes
Pre-Authentication Type = 0 for an account outside the reviewed exception list makes T1558.004 AS-REP Roasting possible: an attacker can request a TGT without a password and crack its encrypted portion offline. Alert on every non-exempt occurrence. In an AES-only domain, 0x17 (RC4) or DES is independently suspicious because it weakens offline cracking resistance. A burst of Failure Code 0x6 against distinct account names from one source is a T1110.003 password-spraying or enumeration precursor; correlate it with 4625 and 4771.
SecurityEvent
| where EventID == 4768
| where PreAuthType == "0"
| project TimeGenerated, Computer, TargetAccount, IpAddress, TicketEncryptionType, PreAuthTypeindex=wineventlog EventCode=4768 Pre_Authentication_Type=0
| table _time, host, Account_Name, Client_Address, Ticket_Encryption_TypeAccount Name: svc-legacy@CORP.EXAMPLE
Client Address: 10.x.x.x
Ticket Encryption Type: 0x17
Pre-Authentication Type: 0
Failure Code: 0x0