Event-o-Pedia EventID 4771 - Kerberos pre-authentication failed.

	Event Details
	Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Account Logon->Kerberos Authentication Service->EventID 4771 - Kerberos pre-authentication failed.

EventID 4771 - Kerberos pre-authentication failed.

Indicates that the kerberos pre-authentication was failed. The reason is in the failure code, see here.
In other words, it indicates a user/computer account failed initial logon.
Refer to the link for Kerberos failure codes meaning.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2000, 2003

EventID 675 - Pre-authentication failed

Sample:

Kerberos pre-authentication failed.
Account Information:
	Security ID:		S-1-5-21-1135140816-2109348461-2107143693-1601
	Account Name:		Paul
Service Information:
	Service Name:		krbtgt/LOGISTICS
Network Information:
	Client Address:		::ffff:10.10.0.2
	Client Port:		49432
Additional Information:
	Ticket Options:		0x40810010
	Failure Code:		0x18
	Pre-Authentication Type:	2
Certificate Information:
	Certificate Issuer Name:		
	Certificate Serial Number: 	
	Certificate Thumbprint:		
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
===========================
Description template stored in adtschema.dll:
===========================
Kerberos pre-authentication failed.

Account Information:
	Security ID:		%2
	Account Name:		%1

Service Information:
	Service Name:		%3

Network Information:
	Client Address:		%7
	Client Port:		%8

Additional Information:
	Ticket Options:		%4
	Failure Code:		%5
	Pre-Authentication Type:	%6

Certificate Information:
	Certificate Issuer Name:		%9
	Certificate Serial Number: 	%10
	Certificate Thumbprint:		%11

Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows Vista (2008) Windows 7 (2008 R2) Windows 8 (2012) Windows 8.1 (2012 R2) Windows 10 (2016)
Category	Account Logon
Source	Microsoft-Windows-Security-Auditing
TaskCategory	Kerberos Authentication Service
EventId	4771

Field Matching

Field	Description	Stored in	Sample Value
DateTime	Date/Time of event origination in GMT format.	DateTime	10.10.2000 19:00:00
Source	Name of an Application or System Service originating the event.	Source	Security
Type	Warning, Information, Error, Success, Failure, etc.	Type	Success
User	Domain\Account name of user/service/computer initiating event.	User	RESEARCH\Alebovsky
Computer	Name of server workstation where event was logged.	Computer	DC1
EventID	Numerical ID of event. Unique within one Event Source.	EventId	576
Description	The entire unparsed event message.	Description	Special privileges assigned to new logon.
Log Name	The name of the event log (e.g. Application, Security, System, etc.)	LogName	Security
Task Category	A name for a subclass of events within the same Event Source.	TaskCategory
Level	Warning, Information, Error, etc.	Level
Keywords	Audit Success, Audit Failure, Classic, Connection etc.	Keywords
Category	A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version.	Category	Account Logon
Object Name		-
Whom		-
Object Type		-
Class Name		-
Security ID		-
Account Name		InsertionString1
Account Domain		-
Account Information: Account Name	The name of the account that Kerberos request was processed for	InsertionString1	DCC1$
Service Information: Service Name	The account name of the service distributing tickets, e.g. krbtgt	InsertionString3	krbtgt/LOGISTICS
Network Information: Client Address	The IP address of the computer that sent the ticket request. If the request was made locally, then the address will be listed as 127.0.0.1	InsertionString7	::ffff:10.10.0.2
Network Information: Client Port	The network port on the client machine that request was sent from	InsertionString8	49432
Additional Information: Ticket Options	A hexadecimal number representing the Key Distribution Center (KDC) Option flags that were used or requested when the ticket was issued. KDC Option flags include information such as whether a ticket can be forwarded or renewed. The number in the Ticket Options field is a bit mask	InsertionString4	0x40810010
Account Information: Security ID	Account Security ID. It is usually being resolved to the following format: DomainName\AccountName	InsertionString2	S-1-5-21-1135140816-2109348461-2107143693-1601
Additional Information: Failure Code	Displays the reason for the authentication failure	InsertionString5	0x18
Additional Information: Pre-Authentication Type	The code for the type of pre-authentication	InsertionString6	2
Certificate Information: Certificate Issuer Name	Name of the authority that issued the certificate	InsertionString9
Certificate Information: Certificate Serial Number	A unique ID within the same Certificate Authority (Issuer)	InsertionString10
Certificate Information: Certificate Thumbprint	A digest of the certificate data	InsertionString11