- Event Id 4776 Microsoft Authentication Package V1 From Mac Os
- Event Id 4776 Microsoft Authentication Package V1 From Mac Pc
- Event Id 4776 Microsoft Authentication Package V1 From Mac To Windows 10
- Event Id 4776 Microsoft Authentication Package V1 From Mac Free
- Event Id 4776 Microsoft Authentication Package V1 From Mac Pro
Find answers to microsoft authentication package v1.0 locking out user from the expert community at Experts Exchange. Solution Joined mac to the domain, can't log. Find answers to AD user account locking eventid:4776 & ID:4625 from the expert community at Experts Exchange. Authentication Package: MICROSOFTAUTH ENTICATION PACKAGEV 10 Logon Account: X Source Workstation: dc1. Find if there is any Event ID 4771, which will help to take to th right location from where the user account get.
Applies to
- Windows 10
- Windows Server 2016
Subcategory:Audit Credential Validation
Event Description:
This event generates every time that a credential validation occurs using NTLM authentication.
This event occurs only on the computer that is authoritative for the provided credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative.
It shows successful and unsuccessful credential validation attempts.
It shows only the computer name (Source Workstation) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you will see CLIENT-1 in the Source Workstation field. Information about the destination computer (SERVER-1) is not presented in this event.
If a credential validation attempt fails, you will see a Failure event with Error Code parameter value not equal to “0x0”.
The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.
For monitoring local account logon attempts, it is better to use event “4624: An account was successfully logged on” because it contains more details and is more informative.
Event Id 4776 Microsoft Authentication Package V1 From Mac Os
This event also generates when a workstation unlock event occurs.
This event does not generate when a domain account logs on locally to a domain controller.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
Required Server Roles: no specific requirements.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Event Id 4776 Microsoft Authentication Package V1 From Mac Pc
Field Descriptions:
- Authentication Package [Type = UnicodeString]: the name of Authentication Package which was used for credential validation. It is always “MICROSOFT_AUTHENTICATION_PACKAGE_V1_0” for 4776 event.
NoteAuthentication package is a DLL that encapsulates the authentication logic used to determine whether to permit a user to log on. Local Security Authority (LSA) authenticates a user logon by sending the request to an authentication package. The authentication package then examines the logon information and either authenticates or rejects the user logon attempt.
Logon Account [Type = UnicodeString]: the name of the account that had its credentials validated by the Authentication Package. Can be user name, computer account name or well-known security principal account name. Examples:
User example: dadmin
Computer account example: WIN81$
Local System account example: Local
Local Service account example: Local Service
Source Workstation [Type = UnicodeString]: the name of the computer from which the logon attempt originated.
Error Code [Type = HexInt32]: contains error code for Failure events. For Success events this parameter has “0x0” value. The table below contains most common error codes for this event:
| Error Code | Description |
|---|---|
| 0xC0000064 | The username you typed does not exist. Bad username. |
| 0xC000006A | Account logon with misspelled or bad password. |
| 0xC000006D | - Generic logon failure. Some of the potential causes for this: An invalid username and/or password was used LAN Manager Authentication Level mismatch between the source and target computers. |
| 0xC000006F | Account logon outside authorized hours. |
| 0xC0000070 | Account logon from unauthorized workstation. |
| 0xC0000071 | Account logon with expired password. |
| 0xC0000072 | Account logon to account disabled by administrator. |
| 0xC0000193 | Account logon with expired account. |
| 0xC0000224 | Account logon with 'Change Password at Next Logon' flagged. |
| 0xC0000234 | Account logon with account locked. |
| 0xc0000371 | The local account store does not contain secret material for the specified account. |
| 0x0 | No errors. |
Table 1. Winlogon Error Codes.
Security Monitoring Recommendations
For 4776(S, F): The computer attempted to validate the credentials for an account.
| Type of monitoring required | Recommendation |
|---|---|
| High-value accounts: You might have high-value domain or local accounts for which you need to monitor each action. Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the “Logon Account” that corresponds to the high-value account or accounts. |
| Anomalies or malicious actions: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the “Logon Account” value (with other information) to monitor how or when a particular account is being used. To monitor activity of specific user accounts outside of working hours, monitor the appropriate Logon Account + Source Workstation pairs. |
| Non-active accounts: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the “Logon Account” that should never be used. |
| Account whitelist: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the “Logon Account” for accounts that are outside the whitelist. |
| Restricted-use computers: You might have certain computers from which certain people (accounts) should not log on. | Monitor the target Source Workstation for credential validation requests from the “Logon Account” that you are concerned about. |
| Account naming conventions: Your organization might have specific naming conventions for account names. | Monitor “Logon Account” for names that don’t comply with naming conventions. |
If NTLM authentication should not be used for a specific account, monitor for that account. Don’t forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored.
You can use this event to collect all NTLM authentication attempts in the domain, if needed. Don’t forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored.
If a local account should be used only locally (for example, network logon or terminal services logon is not allowed), you need to monitor for all events where Source Workstation and Computer (where the event was generated and where the credentials are stored) have different values.
Consider tracking the following errors for the reasons listed:
| Error to track | What the error might indicate |
|---|---|
| User logon with misspelled or bad user account | For example, N events in the last N minutes can be an indicator of an account enumeration attack, especially relevant for highly critical accounts. |
| User logon with misspelled or bad password | For example, N events in the last N minutes can be an indicator of a brute-force password attack, especially relevant for highly critical accounts. |
| User logon outside authorized hours | Can indicate a compromised account; especially relevant for highly critical accounts. |
| User logon from unauthorized workstation | Can indicate a compromised account; especially relevant for highly critical accounts. |
| User logon to account disabled by administrator | For example, N events in last N minutes can be an indicator of an account compromise attempt, especially relevant for highly critical accounts. |
| User logon with expired account | Can indicate an account compromise attempt; especially relevant for highly critical accounts. |
| User logon with account locked | Can indicate a brute-force password attack; especially relevant for highly critical accounts. |
Applies to
- Windows 10
- Windows Server 2016
Subcategories:Audit Account Lockout and Audit Logon
Event Description:
This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out.
It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation.
This event generates on domain controllers, member servers, and workstations.
Note For recommendations, see Security Monitoring Recommendations for this event.
Event XML:
Required Server Roles: None.
Minimum OS Version: Windows Server 2008, Windows Vista.
Event Versions: 0.
Field Descriptions:
Subject:
- Security ID [Type = SID]: SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that reported information about logon failure.
Account Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
Logon Type [Type = UInt32]: the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
| Logon Type | Logon Title | Description |
|---|---|---|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
Event Id 4776 Microsoft Authentication Package V1 From Mac To Windows 10
Table: Windows Logon Types
Account For Which Logon Failed:
- Security ID [Type = SID]: SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Note A security identifier (SID) is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see Security identifiers.
Account Name [Type = UnicodeString]: the name of the account that was specified in the logon attempt.
Account Domain [Type = UnicodeString]: domain or computer name. Formats vary, and include the following:
Domain NETBIOS name example: CONTOSO
Lowercase full domain name: contoso.local
Uppercase full domain name: CONTOSO.LOCAL
For some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
Logon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “4624: An account was successfully logged on.”
Failure Information:
Failure Reason [Type = UnicodeString]: textual explanation of Status field value. For this event it typically has “Account locked out” value.
Status [Type = HexInt32]: the reason why logon failed. For this event it typically has “0xC0000234” value. The most common status codes are listed in “Table 12. Windows logon status codes.”
| StatusSub-Status Code | Description |
|---|---|
| 0XC000005E | There are currently no logon servers available to service the logon request. |
| 0xC0000064 | User logon with misspelled or bad user account |
| 0xC000006A | User logon with misspelled or bad password |
| 0XC000006D | This is either due to a bad username or authentication information |
| 0XC000006E | Unknown user name or bad password. |
| 0xC000006F | User logon outside authorized hours |
| 0xC0000070 | User logon from unauthorized workstation |
| 0xC0000071 | User logon with expired password |
| 0xC0000072 | User logon to account disabled by administrator |
| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
| 0XC0000133 | Clocks between DC and other computer too far out of sync |
| 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine |
| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
| 0XC0000192 | An attempt was made to logon, but the Netlogon service was not started. |
| 0xC0000193 | User logon with expired account |
| 0XC0000224 | User is required to change password at next logon |
| 0XC0000225 | Evidently a bug in Windows and not a risk |
| 0xC0000234 | User logon with account locked |
| 0XC00002EE | Failure Reason: An Error occurred during Logon |
| 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
| 0x0 | Status OK. |
Table: Windows logon status codes.
Event Id 4776 Microsoft Authentication Package V1 From Mac Free
Note To see the meaning of other statussub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK.
More information: https://dev.windows.com/en-us/downloads
- Sub Status [Type = HexInt32]: additional information about logon failure. The most common sub-status codes listed in the “Table 12. Windows logon status codes.”.
Process Information:
Event Id 4776 Microsoft Authentication Package V1 From Mac Pro
Caller Process ID [Type = Pointer]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “4688: A new process has been created” Process InformationNew Process ID.
Caller Process Name [Type = UnicodeString]: full path and the name of the executable for the process.
Network Information:
Workstation Name [Type = UnicodeString]: machine name from which logon attempt was performed.
Source Network Address [Type = UnicodeString]: IP address of machine from which logon attempt was performed.
IPv6 address or ::ffff:IPv4 address of a client.
::1 or 127.0.0.1 means localhost.
Source Port [Type = UnicodeString]: source port which was used for logon attempt from remote machine.
- 0 for interactive logons.
Detailed Authentication Information:
Logon Process [Type = UnicodeString]: the name of the trusted logon process that was used for the logon attempt. See event “4611: A trusted logon process has been registered with the Local Security Authority” description for more information.
Authentication Package [Type = UnicodeString]: The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLMSYSTEMCurrentControlSetControlLsaOSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “4610: An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “4622: A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
NTLM – NTLM-family Authentication
Kerberos – Kerberos authentication.
Negotiate – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
Transited Services [Type = UnicodeString] [Kerberos-only]: the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see https://msdn.microsoft.com/library/cc246072.aspx
Package Name (NTLM only) [Type = UnicodeString]: The name of the LAN Manager sub-package (NTLM-family protocol name) that was used during the logon attempt. Possible values are:
“NTLM V1”
“NTLM V2”
“LM”
Only populated if “Authentication Package” = “NTLM”.
Key Length [Type = UInt32]: the length of NTLM Session Security key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “Authentication Package” = “Kerberos”, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using Negotiate authentication package.
Security Monitoring Recommendations
For 4625(F): An account failed to log on.
Important For this event, also see Appendix A: Security monitoring recommendations for many audit events.
If you have a pre-defined “Process Name” for the process reported in this event, monitor all events with “Process Name” not equal to your defined value.
You can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or Program Files) or is in a restricted folder (for example, Temporary Internet Files).
If you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz” or “cain.exe”), check for these substrings in “Process Name.”
If SubjectAccount Name is a name of service account or user account, it may be useful to investigate whether that account is allowed (or expected) to request logon for Account For Which Logon FailedSecurity ID.
To monitor for a mismatch between the logon type and the account that uses it (for example, if Logon Type 4-Batch or 5-Service is used by a member of a domain administrative group), monitor Logon Type in this event.
If you have a high-value domain or local account for which you need to monitor every lockout, monitor all 4625 events with the “SubjectSecurity ID” that corresponds to the account.
We recommend monitoring all 4625 events for local accounts, because these accounts typically should not be locked out. This is especially relevant for critical servers, administrative workstations, and other high value assets.
We recommend monitoring all 4625 events for service accounts, because these accounts should not be locked out or prevented from functioning. This is especially relevant for critical servers, administrative workstations, and other high value assets.
If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
If the “Account For Which Logon Failed Security ID” should never be used to log on from the specific Network InformationWorkstation Name.
If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for Network InformationSource Network Address and compare the network address with your list of IP addresses.
If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor Package Name (NTLM only), for example, to find events where Package Name (NTLM only) does not equal NTLM V2.
If NTLM is not used in your organization, or should not be used by a specific account (New LogonSecurity ID). In this case, monitor for all events where Authentication Package is NTLM.
If the Authentication Package is NTLM. In this case, monitor for Key Length not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
If Logon Process is not from a trusted logon processes list.
Monitor for all events with the fields and values in the following table:
| Field | Value to monitor for |
|---|---|
| Failure InformationStatus or Failure InformationSub Status | 0XC000005E – “There are currently no logon servers available to service the logon request.” This is typically not a security issue but it can be an infrastructure or availability issue. |
| Failure InformationStatus or Failure InformationSub Status | 0xC0000064 – “User logon with misspelled or bad user account”. Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
| Failure InformationStatus or Failure InformationSub Status | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts. Especially watch for a number of such events in a row. |
| Failure InformationStatus or Failure InformationSub Status | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts. Especially watch for a number of such events in a row. |
| Failure InformationStatus or Failure InformationSub Status | 0xC000006F – “User logon outside authorized hours”. |
| Failure InformationStatus or Failure InformationSub Status | 0xC0000070 – “User logon from unauthorized workstation”. |
| Failure InformationStatus or Failure InformationSub Status | 0xC0000072 – “User logon to account disabled by administrator”. |
| Failure InformationStatus or Failure InformationSub Status | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. |
| Failure InformationStatus or Failure InformationSub Status | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”. This is typically not a security issue but it can be an infrastructure or availability issue. |
| Failure InformationStatus or Failure InformationSub Status | 0xC0000193 – “User logon with expired account”. |
| Failure InformationStatus or Failure InformationSub Status | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |