Windows Server Essentials Experience and Event 4768 on 2012 R2 Domain Controller

i have server 2012 r2 standard domain controller windows server essentials experience installed. see there several scheduled tasks associated wse. 2 of them set run @ same time every 30 minutes. these alert evaluations , macintosh status report. when these tasks run, 250 audit failure log entries in security log event id 4768 comment "a kerberos authentication ticket (tgt) requested." sample log entry below.

these events creating thousands of assume false positive logon failure reports every day , make hard me find actual logon failures. how can prevent them being generated? (note: seeing other audit failure / event id 4768 entries here , there , love rid of them all, times bombarded events when alert evaluations and/or macintosh status report tasks run.)

log name:      security
source:        microsoft-windows-security-auditing
date:          8/25/2015 12:11:54 am
event id:      4768
task category: kerberos authentication service
level:         information
keywords:      audit failure
user:          n/a
computer:      ad1.ad.mydomain.com
description:
kerberos authentication ticket (tgt) requested.

account information:
account name: s-1-5-21-2541659492-2133024706-1076218658-1002
supplied realm name: ad.mydomain.com
user id: null sid

service information:
service name: krbtgt/ad.mydomain.com
service id: null sid

network information:
client address: ::1
client port: 0

additional information:
ticket options: 0x40810010
result code: 0x6
ticket encryption type: 0xffffffff
pre-authentication type: -

certificate information:
certificate issuer name:
certificate serial number:
certificate thumbprint:

certificate information provided if certificate used pre-authentication.

pre-authentication types, ticket options, encryption types , result codes defined in rfc 4120.
event xml:
<event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <system>
    <provider name="microsoft-windows-security-auditing" guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <eventid>4768</eventid>
    <version>0</version>
    <level>0</level>
    <task>14339</task>
    <opcode>0</opcode>
    <keywords>0x8010000000000000</keywords>
    <timecreated systemtime="2015-08-25t04:11:54.401893100z" />
    <eventrecordid>39022701</eventrecordid>
    <correlation />
    <execution processid="748" threadid="4996" />
    <channel>security</channel>
    <computer>ad1.ad.mydomain.com</computer>
    <security />
  </system>
  <eventdata>
    <data name="targetusername">s-1-5-21-2541659492-2133024706-1076218658-1002</data>
    <data name="targetdomainname">ad.mydomain.com</data>
    <data name="targetsid">s-1-0-0</data>
    <data name="servicename">krbtgt/ad.mydomain.com</data>
    <data name="servicesid">s-1-0-0</data>
    <data name="ticketoptions">0x40810010</data>
    <data name="status">0x6</data>
    <data name="ticketencryptiontype">0xffffffff</data>
    <data name="preauthtype">-</data>
    <data name="ipaddress">::1</data>
    <data name="ipport">0</data>
    <data name="certissuername">
    </data>
    <data name="certserialnumber">
    </data>
    <data name="certthumbprint">
    </data>
  </eventdata>
</event>

hi,

according description, understanding essentials built-in tasks generals event id 4768, , want disable these event.

level of event 4768 information, indicates change in application or component has occurred, such operation has completed, resource has been created, or service started. similar note says: "for information." afraid there no easy way disable it.

better use event logs, may using built-in filter (combined key words) find events.

best regards,
eve wang

---

please remember mark replies answers if , unmark them if provide no help. if have feedback technet support, contact tnmff@microsoft.com.

Windows Server  >  Windows Server 2012 General