Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Account Logon->EventID 673 - Service Ticket Request [Win 2003]
EventID 673 - Service Ticket Request [Win 2003]
Indicates that the service ticket was either granted or denied to a user or computer account requesting it.
In other words, this event indicates either a successful or failed attempt of a user/computer account to access a network resource on the domain, e.g. map a drive, connect to a file share, etc.

Note: Logged only on domain controllers.

Some fields provide codes as values. Refer to the following links in order to see their human-readable descriptions:
Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2000
Note: On Windows 2000 the EventID 673 indicates only successful service ticket grants, whereas failures are indicated by EventID 677.
Windows 2008
 Sample:
        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Account Logon
        Event ID:       673
        Date:           10/26/2009
        Time:           07:31:56
        User:           NT AUTHORITY\SYSTEM
        Computer:       DC1
        Description:
        Service Ticket Request:
        User Name:		Paul@RESEARCH.CORP
        User Domain:		RESEARCH.CORP
        Service Name:		DC1$
        Service ID:		%{S-1-5-21-184992632-1607737289-1287950321-1003}
        Ticket Options:		0x40810000
        Ticket Encryption Type:	0x17
        Client Address:		127.0.0.1
        Failure Code:		-
        Logon GUID:		{dc1ddb20-3e58-b918-6c94-db2c903a70ff}
        Transited Services:	-
      
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2003
Category Account Logon
Source Security
EventId 673
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
User Name Account name of the user/computer requesting the ticket InsertionString1 Paul@RESEARCH.CORP
User Domain User/computer account's DNS suffix InsertionString2 RESEARCH.CORP
Service Name The service to which access was requested InsertionString3 DC1$
Service ID The account name of the service (to which access was requested) in the following format: domain name\service account name InsertionString4 %{S-1-5-21-184992632-1607737289-1287950321-1003}
Ticket Options A hexadecimal number representing the Key Distribution Center (KDC) Option flags that were used or requested when the ticket was issued. KDC Option flags include information such as whether a ticket can be forwarded or renewed. The number in the Ticket Options field is a bit mask. InsertionString5 0x40810000
Ticket Encryption Type The code for the Kerberos encryption type (etype) used on the ticket request. Please find the code descriptions here. InsertionString6 0x17
Client Address IP address of the workstation from which the user logged on. InsertionString7 127.0.0.1
Failure Code Displays the reason for the authentication failure. Please find the code descriptions here. InsertionString8 -
Logon GUID The Logon GUID field displays a unique number that can be used to correlate the ticket request event with a Logon/Logoff event on the computer where the requested service resides. For successful logons, compare the value with the corresponding value in the Security 540 event on the computer where the requested service resides. InsertionString9 {dc1ddb20-3e58-b918-6c94-db2c903a70ff}
Transited Services The Transited Services field displays an ordered list of services or applications through which the user's credentials have been authenticated by means of constrained delegation. InsertionString10 -
Comments
You must be logged in to comment