Event Details
User Activity->Logons->Failed Logons->Windows 2008->EventID 4821 - A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.
EventID 4821 - A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.
 Sample: 
A Kerberos service ticket was denied because the user, device, or both does not meet the access control restrictions.

  Account Information:
   Account Name:        %1
   Account Domain:        %2
   Logon GUID:        %11

  Authentication Policy Information:
   Silo Name:        %13
   Policy Name:        %14

  Device Information:
   Device Name:        %3

  Service Information:
   Service Name:        %4
   Service ID:        %5

  Network Information:
   Client Address:        %8
   Client Port:        %9

  Additional Information:
   Ticket Options:        %6
   Ticket Encryption Type:    %7
   Failure Code:        %10
   Transited Services:    %12

  This event is generated every time access is requested to a resource such as a computer or a Windows
  service.  The service name indicates the resource to which access was requested.

  This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.
   The logon event occurs on the machine that was accessed, which is often a different machine than the
  domain controller which issued the service ticket.

  Ticket options, encryption types, and failure codes are defined in RFC 4120.
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Account Logon
Source Microsoft-Windows-Security-Auditing
TaskCategory Kerberos Service Ticket Operations
EventId 4821
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. Account Name
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Logon" Logon
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. Ticket Encryption Type ::ffff:10.10.0.3
Severity Specify the seriousness of the event. - High
WhoDomain Account Domain
WhereDomain -
Result Successful or Failed. "Failed" Failed
Failure Reason Failure Reason - Bad user name or password, not enough privileges, etc. - Bad user name or password
Failure Code Failure Code
Comments
You must be logged in to comment