Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 672 - Authentication Ticket Request [Win 2003]
EventID 672 - Authentication Ticket Request [Win 2003]
Indicates that the authentication ticket was either granted or denied to a user or computer account requesting it.
In other words, this event indicates either a successful or failed user/computer initial domain logon.

Note: Logged only on domain controllers.

Some fields provide codes as values. Refer to the following links in order to see their human-readable descriptions: Certificate fields provide values only if a certificate was used for pre-authentication (e.g. logging in with a smart card or some other type of token).

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other Windows versions:

Windows 2000
Note: On Windows 2000 the EventID 672 indicates only authentication ticket grants, whereas failures to serve the authentication ticket request are indicated by EventID 676. Windows 2008

Related events:

        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Account Logon
        Event ID:       672
        Date:           10/26/2009
        Time:           07:31:56
        User:           NT AUTHORITY\SYSTEM
        Computer:       DC1
        Authentication Ticket Request:
        User Name:		Paul
        Supplied Realm Name:	RESEARCH
        User ID:			%{S-1-5-21-184992632-1607737289-1287950321-1178}
        Service Name:		krbtgt
        Service ID:		%{S-1-5-21-184992632-1607737289-1287950321-502}
        Ticket Options:		0x40810010
        Result Code:		-
        Ticket Encryption Type:	0x17
        Pre-Authentication Type:	2
        Client Address:
        Certificate Issuer Name:
        Certificate Serial Number:
        Certificate Thumbprint:
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Category Account Logon
Source Security
EventId 672
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
User Name Account name of the user/computer requesting the ticket InsertionString1 Paul
Supplied Realm Name User/computer account's DNS suffix InsertionString2 RESEARCH
User ID Account name in the following format: domain name\account name InsertionString3 %{S-1-5-21-184992632-1607737289-1287950321-1178}
Service Name The account name of the service distributing tickets, e.g. krbtgt InsertionString4 krbtgt
Service ID The account name of the service distributing tickets in the following format: domain name\service account name InsertionString5 %{S-1-5-21-184992632-1607737289-1287950321-502}
Ticket Options A hexadecimal number representing the Key Distribution Center (KDC) Option flags that were used or requested when the ticket was issued. KDC Option flags include information such as whether a ticket can be forwarded or renewed. The number in the Ticket Options field is a bit mask. InsertionString6 0x40810010
Result Code The Kerberos error code for the reason that the domain controller was unable to issue the ticket. Please find the code descriptions here. InsertionString7 -
Ticket Encryption Type The code for the Kerberos encryption type (etype) used in the ticket request. Please find the code descriptions here. InsertionString8 0x17
Pre-Authentication Type The code for the type of pre-authentication. InsertionString9 2
Client Address The IP address of the computer that sent the ticket request. If the request was made locally, then the address will be listed as InsertionString10
Certificate Issuer Name Name of the authority that issued the certificate InsertionString11
Certificate Serial Number A unique ID within the same Certificate Authority (Issuer) InsertionString12
Certificate Thumbprint A digest of the certificate data InsertionString13
You must be logged in to comment