Event Details
User Activity->Logons->Successful Logons->Windows 2008->EventID 4770 - A Kerberos service ticket was renewed.
EventID 4770 - A Kerberos service ticket was renewed.
 Sample: 
A Kerberos service ticket was renewed.

Account Information:
	Account Name:		%1
	Account Domain:		%2

Service Information:
	Service Name:		%3
	Service ID:		%4

Network Information:
	Client Address:		%7
	Client Port:		%8

Additional Information:
	Ticket Options:		%5
	Ticket Encryption Type:	%6

Ticket options and encryption types are defined in RFC 4120.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/27/2009 10:01:35 PM
Event ID:      4770
Task Category: Kerberos Service Ticket Operations
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      dcc1.Logistics.corp
Description:   
A Kerberos service ticket was renewed.
Account Information:
	Account Name:		SERVER1$@LOGISTICS.CORP
	Account Domain:		LOGISTICS.CORP
Service Information:
	Service Name:		krbtgt
	Service ID:		S-1-5-21-1135140816-2109348461-2107143693-502
Network Information:
	Client Address:		::ffff:10.10.0.3
	Client Port:		57084
Additional Information:
	Ticket Options:		0x2
	Ticket Encryption Type:	0x12
Ticket options and encryption types are defined in RFC 4120.
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Account Logon
Source Microsoft-Windows-Security-Auditing
TaskCategory Kerberos Service Ticket Operations
EventId 4770
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime
Who Account or user name under which the activity occured. Account Name Administrator$@LOGISTICS.CORP
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Kerberos Service Ticket Operations" Kerberos Service Ticket Operations
Where The name of the workstation/server where the activity was logged. Computer
Where From The name of the workstation/server where the activity was initiated from. Network Information: Client Address ::ffff:10.10.0.3
Severity Specify the seriousness of the event. "High" High
WhoDomain Account Domain LOGISTICS.CORP
WhereDomain -
Result Successful or Failed. "Successful" Successful
Failure Reason "Successful" Successful
Comments
You must be logged in to comment