What is Event ID 4769?

Updated on September 10, 2025

Event ID 4769 represents one of the most important security events IT professionals should monitor in Windows Active Directory environments. This Windows Security event log entry signals a failed Kerberos Service Ticket request—a failure that can indicate everything from simple configuration errors to sophisticated cyberattacks.

Understanding Event ID 4769 is essential for maintaining network security. A sudden spike in these events often serves as an early warning system for ongoing attacks. Network administrators who can properly interpret and respond to these events gain a significant advantage in protecting their infrastructure.

This guide explains what Event ID 4769 means, how it works, and why it deserves your attention as a security monitoring priority.

How to Modernize Your AD Instance

The IT Professional’s Roadmap to Augmenting or Replacing AD

Download Today

Definition and Core Concepts

Event ID 4769 is a security log entry generated by a domain controller when the Ticket-Granting Service (TGS) fails to issue a Kerberos Service Ticket. The domain controller that received the failed request logs this event.

The event occurs during the second phase of Kerberos authentication. When a client cannot obtain the service ticket it needs, the system creates this log entry to document the failure.

Key Fields in Event ID 4769

Each Event ID 4769 entry contains several critical fields that provide context for the failure:

• Account Name: The user or computer account that made the failed ticket request. This field helps identify who or what initiated the authentication attempt.
• Service Name: The Service Principal Name (SPN) of the service the account was attempting to access. This shows exactly which service the client tried to reach.
• Failure Code: A numeric code specifying the exact reason for the failure. Common codes include 0x6 for an unknown or incorrect SPN and 0x12 for account restrictions.
• Ticket Options: Flags and additional information about the requested ticket. These options reveal details about the authentication attempt.

How Event ID 4769 Works

Event ID 4769 is generated during the TGS Exchange, the second phase of the Kerberos authentication process.

Normal Kerberos Process

Under normal circumstances, a client with a valid Ticket-Granting Ticket (TGT) sends a request to the TGS for a Service Ticket. The client specifies the target service using its SPN. The TGS validates the request and issues the appropriate ticket.

When Failure Occurs

The TGS logs Event ID 4769 when it cannot fulfill the ticket request. This happens when the TGT is invalid, the user account faces restrictions, or the requested SPN doesn’t exist or contains errors.

The domain controller creates this log entry immediately when the failure occurs. This real-time logging makes Event ID 4769 valuable for both troubleshooting and security monitoring.

Common Causes and Troubleshooting

Event ID 4769 events frequently result from legitimate configuration issues rather than malicious activity.

SPN Mismatch

SPN mismatches cause the majority of Event ID 4769 events. Clients may attempt to access services using Service Principal Names that contain typos or aren’t properly registered in Active Directory.

Common scenarios include applications using outdated SPN references or manual configuration errors during service setup.

Account Restrictions

User or service accounts may face various restrictions that prevent successful authentication:

• Disabled or locked accounts
• Logon hour restrictions
• Password expiration issues
• Insufficient permissions for the requested service

Network and Infrastructure Issues

Network connectivity problems or firewall rules can prevent clients from properly communicating with domain controllers. These issues may cause authentication requests to fail or timeout, resulting in Event ID 4769 entries.

DNS resolution problems can also cause SPN-related failures when clients cannot locate the correct service endpoints.

Security Implications and Threat Hunting

While Event ID 4769 often indicates benign configuration issues, high volumes of these events—especially from single sources—signal potential malicious activity.

Reconnaissance Activities

Attackers frequently use Event ID 4769 patterns for reconnaissance. They intentionally send requests for common SPNs to identify valid service accounts. Failed attempts generate Event ID 4769 entries, but successful requests reveal valuable targets.

This technique helps attackers map network services and identify potential attack vectors without triggering more obvious security alerts.

Kerberoasting Attack Detection

High volumes of Event ID 4769 events serve as key indicators of Kerberoasting attacks. During these attacks, adversaries with valid domain accounts request Service Tickets for all discoverable service accounts.

Failed requests due to misconfigurations create floods of Event ID 4769 alerts. Security teams should investigate sudden spikes in these events, particularly when they originate from single accounts or IP addresses.

Lateral Movement Indicators

Event ID 4769 can signal lateral movement attempts using compromised credentials. When attackers try to access services beyond their authorized scope, the authentication failures generate these events.

Multiple failures across different services from the same account may indicate credential compromise and unauthorized access attempts.

Breaking Up with Active Directory

Don’t let your directory hold you back. Learn why it’s time to break up with AD.

Read Now

Monitoring and Response Strategies

Effective Event ID 4769 monitoring requires establishing baseline patterns and identifying anomalies.

Baseline Establishment

Normal network operations generate predictable volumes of Event ID 4769 events. Document typical patterns during different times and operational states to identify unusual activity.

Track common failure codes and their frequencies to distinguish between routine configuration issues and potential security incidents.

Alert Thresholds

Set monitoring thresholds based on your baseline patterns. Consider alerts for:

• Sudden volume increases from specific accounts
• New or unusual failure codes
• Geographic or time-based anomalies
• Repeated failures targeting high-value services

Investigation Procedures

When Event ID 4769 alerts trigger, follow systematic investigation procedures:

1. Verify the legitimacy of the requesting account
2. Check recent authentication patterns for anomalies
3. Examine related security events on affected systems
4. Correlate with network traffic and endpoint data

Key Terms Appendix

• Event ID 4769: The Windows Security Event ID for a failed Kerberos Service Ticket request.
• Kerberos Service Ticket: A temporary credential that grants access to a specific network service.
• Ticket-Granting Service (TGS): The component of the Key Distribution Center that issues Service Tickets to authenticated users.
• Service Principal Name (SPN): A unique identifier that associates a service instance with a service logon account.
• Kerberoasting: An attack technique that exploits weak service account passwords by requesting Service Tickets and attempting to crack their password hashes offline.