Kerberos auditing

Gain complete visibility into Kerberos logons, authentication failures, and user behavior, all in one place. Detect anomalies and uncover kerberos-based attacks before they impact your network.

Audit Kerberos authentication service with ease

Audit Kerberos activity across domains

Monitor the usage of ticket-granting tickets (TGT) and service tickets across all AD domains, ensuring no blind spots in Kerberos authentication events.

Track user logons in real time

Track Kerberos authentication service audit failures, uncover account lockouts, and resolve them quickly.

Detect network compromise at the earliest

Get instantly alerted on high volume logon attempts, logons during unusual times, and remote accesses by unusual users to detect potential security threats.

Drill deep into Kerberos events

Analyze every Kerberos event with detailed event data such as user name, event ID, host name, event type, failure reason, and more—all from a unified dashboard.

Stop Kerberos-based attacks before they spread

Detect Kerberoasting attempts early

Spot unusual TGS ticket requests for service accounts that may indicate attackers attempting to extract and crack encrypted credentials offline.

Block Golden and Silver ticket abuse

Identify forged Kerberos tickets designed to provide attackers persistent access and stop unauthorized lateral movement across your AD environment.

Uncover AS-REP roasting and pre-auth abuse

Find accounts with pre-authentication disabled, and detect any attempts to disable Kerberos pre-authentication and prevent brute-force password cracking.

Detect credential theft techniques

Catch pass-the-ticket and pass-the-hash attacks by monitoring Kerberos events for anomalous patterns such as unusual ticket usage, ticket reuse, long-lived tickets, or logon anomalies.

Enable Kerberos auditing and prevent Kerberos-based attacks with ADAudit Plus

  • Audit user logon activity
  • Uncover Kerberoasting attempts across servers

  • Visualize successful vs. failed Kerberos logons and drill down into detailed event reports for faster investigation.

    Audit user logon activity
     
     
    Get complete event details

    Every logon attempt is recorded with event ID, user, IP, failure reasons, and timestamps for thorough auditing.

     
     
    Expand visibility across logons

    Access additional user logon reports to analyze patterns, uncover anomalies, and strengthen authentication monitoring.

  • Monitor where Kerberoasting activity originates, with server-level insights and detailed detection reports.

    Uncover Kerberoasting attempts across servers
     
     
    Dive deeper into attack evidence

    Open detailed threat pages with evidence reports, risk levels, user activity history, and recommended actions.

     
     
    Broaden detection to other AD threats

    Explore additional AD attack reports to strengthen visibility and stop lateral movement early.

Frequently asked questions

Kerberos is the default authentication protocol used in AD environments. It uses tickets and strong encryption to securely verify identities between users and services, reducing the risk of credential theft compared to older methods like NTLM.

In most modern AD environments, Kerberos is enabled by default. You can verify this by checking domain controller security policies, monitoring event logs for Kerberos ticket-granting events (Event IDs 4768, 4769, etc.), or reviewing network traffic to confirm Kerberos ticket exchanges.

NTLM is an older challenge-response authentication protocol that relies on password hashes. Kerberos is more secure and efficient, using tickets issued by a trusted Key Distribution Center (KDC). Unlike NTLM, Kerberos supports mutual authentication, delegation, and stronger encryption standards.

Common Windows Security Event IDs for Kerberos include:

  • 4768 – A Kerberos authentication ticket (TGT) was requested
  • 4769 – A Kerberos service ticket (TGS) was requested
  • 4770 – A Kerberos service ticket was renewed
  • 4771 – Kerberos pre-authentication failed
  • 4776 – NTLM authentication (useful for spotting NTLM vs Kerberos usage)
 

Other solutions offered by ADAudit Plus

Active directoryFile serverWindows serverWorkstation
Active Directory auditor

Get reports and alerts on changes to AD objects including users, groups, OUs, GPOs, and more instantly.

 
Account lockout tool

Detect and diagnose AD account lockouts faster by identifying their root cause.

 
Login monitoring

Monitor, track, and report on both successful and failed login attempts in real time.

 
Azure AD auditing

Monitor and track all Azure Active Directory sign-ins and events across cloud or hybrid environments.

 
GPO change auditing

Audit and report on what GPO setting was changed with before and after values—all in real time.

 
Privileged user monitoring

Monitor and report on critical actions made by administrators or privileged accounts and groups.

 
File server auditing

Audit all file accesses across Windows file servers, failover clusters, NetApp, and EMC environments.

 
File permissions auditing

Audit all file and folder permission changes. Know who made those changes, when, and from where.

File integrity monitoring

Monitor and alert on unwarranted file accesses or modifications with real-time change auditing.

 
File change monitoring

Gain instant visibility into all modifications and failed access attempts made to your critical files.

Compliance requirements

Generate out-of-the-box compliance reports for regulations such as HIPAA, PCI DSS, GDPR, and more.

 
Forensic analysis

Investigate security incidents faster with actionable and accurate audit data.

Windows server auditing

Audit and monitor all user actions across the Windows server environment in real time.

 
Removable device auditing

Monitor usage of removable storage devices, such as USBs, and report on their file activities.

 
Printer monitoring

Monitor printer usage to find out who printed what critical files over the Windows network.

 
ADFS auditing

Monitor and report on both successful and failed ADFS authentication attempts in real time.

 
Audit process tracking

Track critical process creation and termination events with details on who initiated it and when.

 
File integrity monitoring

Monitor and alert on unwarranted file accesses or modifications with real-time change auditing.

 
Workstation auditing

Audit, alert, and report on critical user activities across workstations in real time.

 
Logon and logoff monitoring

Monitor and track all users' logon and logoff activities to spot anomalous user sessions.

 
File integrity monitoring

Ensure file integrity by keeping track of changes made to the system, program files, and more.

 
User login history monitoring

Track, record, and maintain an audit trail of all users' login history details.

 
Audit process tracking

Track critical process creation and termination events with details on who initiated it and when.

 
Employee time tracking software

Measure your employees' productivity by keeping track of their idle time and actual work hours.

 

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows Server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote