From dd9bb94113b7827872b04153fd7464476e0b0c03 Mon Sep 17 00:00:00 2001 From: Deland Han Date: Tue, 26 Feb 2019 14:07:25 +0800 Subject: [PATCH 1/3] update --- windows/security/threat-protection/auditing/event-4769.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index cfb61706ce..465a4bd51a 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -80,12 +80,14 @@ You will typically see many Failure events with **Failure Code** “**0x20**”, **Account Information:** -- **Account Name** \[Type = UnicodeString\]**:** the User Principal Name (UPN) of the account that requested the ticket. Computer account name ends with **$** character in UPN. This field typically has the following value format: user\_account\_name@FULL\_DOMAIN\_NAME. +- **Account Name** \[Type = UnicodeString\]**:** the user name of the account that requested the ticket in the User Principal Name (UPN) syntax. Computer account name ends with **$** character in the user name part. This field typically has the following value format: user\_account\_name@FULL\_DOMAIN\_NAME. - User account example: dadmin@CONTOSO.LOCAL - Computer account example: WIN81$@CONTOSO.LOCAL + > **Note** Although this field is in the UPN format, this is not the attribute value of "UserPrincipalName" of the user account. It is the "normalized" name or implicit UPN. It is built from the user SamAccountName and the Active Directory domain name. + This parameter in this event is optional and can be empty in some cases. - **Account Domain** \[Type = UnicodeString\]**:** the name of the Kerberos Realm that **Account Name** belongs to. This can appear in a variety of formats, including the following: @@ -100,7 +102,7 @@ You will typically see many Failure events with **Failure Code** “**0x20**”, - **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event (on a domain controller) with other events (on the target computer for which the TGS was issued) that can contain the same **Logon GUID**. These events are “[4624](event-4624.md): An account was successfully logged on”, “[4648](event-4648.md)(S): A logon was attempted using explicit credentials” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.” - This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”. + This parameter might not be captured in the event, and in that case appears as "{00000000-0000-0000-0000-000000000000}". > **Note**  **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances. From fac8fe376de488a0fa953e942e8219b2071fa301 Mon Sep 17 00:00:00 2001 From: Deland-Han Date: Tue, 26 Feb 2019 14:09:17 +0800 Subject: [PATCH 2/3] update --- windows/security/threat-protection/auditing/event-4769.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index 465a4bd51a..b837812eea 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -171,7 +171,7 @@ The most common values: | 12 | Transited-policy-checked | KILE MUST NOT check for transited domains on servers or a KDC. Application servers MUST ignore the TRANSITED-POLICY-CHECKED flag. | | 13 | Ok-as-delegate | The KDC MUST set the OK-AS-DELEGATE flag if the service account is trusted for delegation. | | 14 | Request-anonymous | KILE not use this flag. | -| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. | +| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the “canonicalize” KDC option for the AS-REQ or TGS-REQ. | | 16-25 | Unused | - | | 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor
the DISABLE-TRANSITED-CHECK option.
Should not be in use, because Transited-policy-checked flag is not supported by KILE. | | 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. | From a7c0ef000b57e0e322f25edce440fb9747c96364 Mon Sep 17 00:00:00 2001 From: Deland-Han Date: Tue, 26 Feb 2019 14:13:08 +0800 Subject: [PATCH 3/3] typo --- windows/security/threat-protection/auditing/event-4769.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index b837812eea..ea200b936f 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -102,7 +102,7 @@ You will typically see many Failure events with **Failure Code** “**0x20**”, - **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event (on a domain controller) with other events (on the target computer for which the TGS was issued) that can contain the same **Logon GUID**. These events are “[4624](event-4624.md): An account was successfully logged on”, “[4648](event-4648.md)(S): A logon was attempted using explicit credentials” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.” - This parameter might not be captured in the event, and in that case appears as "{00000000-0000-0000-0000-000000000000}". + This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”. > **Note**  **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.