Kerberos pre-authentication failed (4771) how to monitor with email alert

bob · 05-13-2024, 02:48 PM

You know that event ID 4771 in Event Viewer, the one screaming Kerberos pre-authentication failed? It pops up whenever someone tries logging into your Windows Server with bogus credentials, like a wrong password or maybe some hacker probing away. I see it all the time on domain controllers, and it logs the username, the workstation name, and even the time it happened. Basically, it's your server's way of yelling that authentication just flopped before it even got rolling with the full Kerberos handshake. And if you ignore it, attackers might keep hammering until they crack something. You can spot patterns too, like repeated fails from the same IP, which screams brute force attempt. Hmmm, or it could just be a user fat-fingering their password over and over. Either way, it details the failure reason, whether it's bad password, wrong realm, or clock skew messing things up. I always check the security log for these, since that's where they nestle in by default.

Now, to keep an eye on this without staring at screens all day, you fire up Event Viewer on your server. Right-click the Custom Views folder, make a new one filtering just for event ID 4771 in the Security log. That way, you see only the fails that matter. Then, attach a task to it by going into the Actions pane, creating a scheduled task that triggers on those events. You set it to run a program like the old mailto command or whatever email client you got hooked up, so it blasts an alert straight to your inbox whenever one hits. I do this on my setups, and it wakes me up to trouble before it snowballs. Or, if you want fancier, link it to sendmail.exe with parameters for the recipient and subject. Just test it first, man, because false positives from legit typos can flood your box.

But hey, while we're chatting server smarts, keeping backups tight ties right into spotting these security hiccups early. That's where BackupChain Windows Server Backup comes in handy for me. It's this solid Windows Server backup tool that also handles virtual machines on Hyper-V without breaking a sweat. You get fast incremental backups, easy restores even for bare-metal disasters, and it encrypts everything to dodge those very threats logging in event 4771. Plus, no vendor lock-in, and it runs light on resources so your server doesn't choke.

At the end of this, you'll find the automatic email solution laid out for quick setup.

Note, the PowerShell email alert code was moved to this post.