Audit Failure Events in Security Windows event on the Domain controller hosting Control Compliance Suite (CCS) environment
Last Updated September 25, 2013
Microsoft-Windows-Security-Auditing generates Event ID: 4768 in Windows Security log on Domain Controller when Kerberos authentication ticket (TGT) is requested for CCS component accounts.
Log Name: Security
Event ID: 4768
Task Category: Kerberos Authentication Service
Keywords: Audit Failure
The client sends a KRB_AS_REQ to the KDC (specifically the Authentication Server/AS) to request a Ticket Granting Ticket (TGT). The AS_REQ is built on the client machine using the current computer time and encrypting it with the users Password hash. There is some other information within the AS_REQ packet that includes the UPN of the Principal.
In a typical scenario the KDC would verify the Authentication Data, respond back to the client with a KRB_AS_REP to the client with a TGT and session key for the TGT. This process validates that the principal authenticating knows the account and password (which in this case it does not).
This information is called “Authentication Data”. The 0x6 Failure (Result) Code in the Audit Failure event translates to (KDC_ERR_C_PRINCIPAL_UNKNOWN) “Client was not found in Kerberos database.” The Account name specified not a recognized principal name present on the userPrincipalName attribute of the account.
Map certificates to AD accounts for CCS server(s) for component communication without Audit Failures. Use the following steps to export CCS certificates for CCS components and map them to Active Directory accounts.
Steps to export the CCS Certificates using MMC snap-in:
1. From the Start menu on the CCS Application Server, click Run. Type mmc in the text box and click OK. An MMC snap-in Console window launches. 2. Using the File menu, click Add/Remove Snap-in. 3. Select Certificates in the Snap-in list, click Add.
NOTE: When you select Certificates, a dialog box appears asking you whether you would like to manage certificates for My user account, Service account, or Computer account. For this scenario, select Computer account, click Finish, and continue.
4. When prompted to Select Computer, select Local Computer, and click Finish. 5. Click OK to close the Add/Remove Snap-in dialog box. The Certificates directory is now added to the MMC console. 6. Select Certificates (Local Computer) from the Console menu. This will expand the Certificates containers. 7. Select >Symantec_Components >Certificates container. 8. Right-click certificate AppServer-%MACHINE_NAME% and select >All Tasks >Export… 9. This will start the Welcome to the Certificate Export Wizard. Click Next. 10. Select No, do not export the private key. Click Next. 11. Select DER encoded binary X.509 (.CER). Click Next. 12. Specify the folder path and name of the file you want to export. Click Next. 13. Review wizard settings and click Finish.
NOTE: These steps will need to be performed on each server hosting the CCS Manager role. Please note the certificate in step 8 will be unique for CCS Manager role (i.e. CCSManager-%Machine_Name%). It is helpful to store all exported certificate files (.CER) in a folder accessible to the Domain Controller.
Imported Document ID: TECH210899
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe