SOC Event Lookup
Event ID 4771KerberosP2

Windows Event ID 4771: Kerberos pre-authentication failed

Event ID 4771 records a Kerberos pre-authentication failure on a domain controller.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-11

Trigger Scenarios

The KDC generates the event when a client cannot satisfy Kerberos pre-authentication.

Key Fields

Failure Code

0x18 is KDC_ERR_PREAUTH_FAILED, normally a bad password; 0x12 is KDC_ERR_CLIENT_REVOKED for disabled or locked accounts.

Pre-Authentication Type

2 commonly represents encrypted timestamp pre-authentication; compare deviations with client configuration.

Client Address

The source IP used to group attempts and identify the originating device.

Common False Positives

  • Stale credentials in services and mobile devices are common.
  • Users entering old passwords after rotation create 0x18 failures.

Related Events

MITRE ATT&CK Mapping

  • T1110.003Brute Force: Password Spraying

Detection Notes

T1110.003 password spraying appears as Failure Code 0x18 against many accounts from one Client Address while avoiding lockout thresholds. One account receiving 0x18 from many sources instead suggests guessing or stale credentials. Alert on breadth, then correlate 4768 success and 4624 after the failure burst.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4771 and Status == "0x18"
| summarize Accounts=dcount(TargetAccount), Attempts=count() by IpAddress, bin(TimeGenerated, 15m)
| where Accounts > 10
Splunk SPL
index=wineventlog EventCode=4771 Failure_Code=0x18 | stats dc(Account_Name) as accounts count by Client_Address
Sample Log
Account Name: jsmith@CORP.EXAMPLE
Client Address: 10.x.x.x
Failure Code: 0x18
Pre-Authentication Type: 2

Source