Troubleshooting FREE

Kerberos pre-authentication failures — event IDs decoded

Kerberos pre-authentication failures are one of the most common sources of noise in a Windows Security event log — and one of the least understood. Events 4768, 4771, and 4776 all fire for different reasons, and the failure code buried in each event is the only thing that tells you what actually went wrong. This runbook decodes every common failure code and gives you the exact fix for each.

ⓘ What is Kerberos pre-authentication?

Before issuing a ticket-granting ticket (TGT), the KDC requires the client to prove it knows the user's password by encrypting a timestamp. Pre-authentication failures occur when that proof is wrong, missing, or stale — before any ticket is issued.

The three event IDs you'll see

Event IDWhat it meansWhere logged
4768Kerberos Authentication Service (AS) request. Logged for every TGT request — success and failure. Status code tells you which.Domain Controller Security log
4771Pre-authentication failed. The client sent the wrong encrypted timestamp — wrong password, clock skew, or bad keytab.Domain Controller Security log
4776NTLM credential validation attempt. Not Kerberos — fires when a machine falls back to NTLM because Kerberos failed. Proxies real Kerberos problems.Authenticating DC Security log

4771 failure codes and what they mean

The Failure Code field in Event 4771 is the diagnostic. Here are every common code and what to do with it.

Failure CodeMeaningFix
0x6Client not found in Kerberos database. Username doesn't exist in AD.Confirm the UPN/sAMAccountName. Check for typos. Verify the user exists in the correct domain — not a trust issue.
0x7Server not found in Kerberos database. The target SPN doesn't exist.Run setspn -Q HTTP/servername. Register missing SPN or fix the application's target name.
0x12Account disabled, expired, or locked. Account exists but cannot authenticate.Check account status in ADUC. Unlock, re-enable, or extend expiry. Check fine-grained password policies.
0x17Password has expired. User's password lifetime has passed.Force a password reset. Check if the account is set to "password never expires" unexpectedly.
0x18Pre-authentication info was invalid. Wrong password.Verify credentials. If this fires in bulk from a service account, the stored credential (scheduled task, IIS app pool, service) has a stale password.
0x19Additional pre-authentication required. Policy requires smartcard or MFA.Ensure client supports required auth method. Check whether "Smart card is required for interactive logon" was set on the account.
0x25Clock skew too great. Client and DC clocks differ by more than 5 minutes.Run w32tm /query /status on the client. Check PDC emulator NTP source. Fix clock sync before anything else.
0x37Skew too great (alternate code). Same as 0x25, surfaced differently in some clients.Same as 0x25 — fix NTP.

The clock skew problem — the most common culprit

Kerberos requires client and server clocks to be within 5 minutes of each other. When they're not, every authentication attempt fails with 0x25 or 0x37. This is especially common after:

  • A VM was paused or restored from snapshot
  • A laptop was offline for an extended period
  • The PDC emulator lost its NTP source
  • A branch office DC was isolated from the hub

Diagnose clock skew

# Check client time sync status
w32tm /query /status

# Check source and stratum
w32tm /query /peers

# Test sync manually
w32tm /resync /force

# Check PDC emulator (run on PDC)
w32tm /query /configuration
⚠ PDC emulator is the NTP root

All domain members should ultimately sync from the PDC emulator. The PDC emulator should sync from an external NTP source (pool.ntp.org or your firewall). A broken NTP chain at the PDC emulator will eventually drift every machine in the domain.

Fix the PDC emulator's NTP source

# Run on the PDC emulator — set external NTP source
w32tm /config /manualpeerlist:"0.pool.ntp.org,1.pool.ntp.org" /syncfromflags:manual /reliable:YES /update

# Restart time service
net stop w32time && net start w32time

# Force sync
w32tm /resync /force

# Verify
w32tm /query /status

Bulk 4771 events — the service account password problem

If you see hundreds of 4771 0x18 events per minute from a single account, the password changed but something still has the old credential stored. The sources are predictable:

  • Scheduled tasks — stored credentials don't auto-update
  • IIS application pools — identity password cached in IIS
  • Windows services — Services.msc stores credentials at config time
  • Credential Manager — Windows credential vault on user machines
  • ADFS or third-party SSO — service account keytab needs regeneration

Find the source machine

# The 4771 event includes the Client Address field
# Filter Security log on DC for the specific account
Get-WinEvent -ComputerName DC01 -FilterHashtable @{
    LogName='Security'
    Id=4771
} | Where-Object {$_.Message -like '*jsmith*'} |
    Select-Object -First 20 TimeCreated,Message |
    Format-List

Clear stale credentials from Credential Manager

# List stored credentials
cmdkey /list

# Remove specific entry
cmdkey /delete:DOMAIN\serviceaccount

# Or via GUI: Control Panel > Credential Manager > Windows Credentials

Event 4776 — when Kerberos falls back to NTLM

Event 4776 is not a Kerberos event — it's NTLM. But it fires because Kerberos failed first and the client fell back. Common reasons Kerberos fails and forces NTLM fallback:

  • Client connecting to server by IP address instead of hostname (Kerberos requires a hostname or FQDN to build the SPN)
  • Missing or duplicate SPN on the target service account
  • Target service running as a non-domain user or built-in account
  • DNS resolving to the wrong hostname

Fix IP-address-based fallback

The fix is to change the client connection to use the hostname. For mapped drives, update the UNC path from \\192.168.1.10\share to \\fileserver01\share. For GPO-mapped drives, update the GPO path preference.

Check for missing or duplicate SPNs

# List all SPNs for a service account
setspn -L DOMAIN\svcWebApp

# Check for duplicates (run on DC)
setspn -X

# Add a missing SPN
setspn -S HTTP/webserver01.domain.com DOMAIN\svcWebApp
setspn -S HTTP/webserver01 DOMAIN\svcWebApp
⚠ Duplicate SPNs break Kerberos silently

If setspn -X returns any results, you have a duplicate SPN. Kerberos cannot determine which account to use and silently fails. Remove the duplicate from whichever account it shouldn't be on. This is a common cause of intermittent Kerberos failures that nobody connects to SPNs.

4771 and account lockout

Repeated 0x18 failures (wrong password) will trigger account lockout if a lockout policy is in place. The lockout itself logs a separate Event 4740. To find what's locking the account:

# On the PDC emulator — this is where lockouts are always recorded
Get-WinEvent -ComputerName PDC01 -FilterHashtable @{
    LogName='Security'
    Id=4740
} | Where-Object {$_.Message -like '*jsmith*'} |
    Select-Object -First 10 TimeCreated,Message |
    Format-List

# The "Caller Computer Name" field in 4740 tells you the source machine

Once you have the source machine, check Credential Manager and recently changed service configurations on that machine for the stale password.

0x19 — smartcard and MFA requirement failures

Failure code 0x19 means the KDC requires additional pre-authentication that the client didn't provide. This fires when:

  • An account has "Smart card is required for interactive logon" enabled but the user is logging in without one
  • A Conditional Access policy requires MFA for the resource
  • A service account has smartcard enforcement set accidentally
# Check the flag on the account
Get-ADUser jsmith -Properties SmartcardLogonRequired |
    Select-Object Name,SmartcardLogonRequired

# Remove the flag if set accidentally
Set-ADUser jsmith -SmartcardLogonRequired $false

Quick reference — failure code cheat sheet

CodeShort causeFirst thing to check
0x6User not foundUPN/sAMAccountName typo, wrong domain
0x7Server/SPN not foundsetspn -Q
0x12Account disabled/locked/expiredADUC account status
0x17Password expiredForce password reset
0x18Wrong passwordStale stored credentials / service account
0x19Additional auth requiredSmartcardLogonRequired flag
0x25Clock skeww32tm /query /status
0x37Clock skew (alternate)Same as 0x25

Summary

Kerberos failures almost always have a specific, fixable cause — the failure code is the key. The most common production problems are clock skew (0x25), stale service account passwords (0x18 in bulk), and duplicate or missing SPNs (NTLM fallback via 4776). Start with the failure code, identify the source machine from the event's Client Address field, and work from there. Kerberos doesn't lie — it just doesn't explain itself well without this decoder ring.