Do you notice a series of Security Log Event ID 4776, The computer attempted to validate the credentials for an account in the Windows Event Viewer? There’s nothing to worry if it’s a success. But it’s a matter of concern if you see several failed attempts of the Event ID. You can identify the Event ID 4776 failure with unknown usernames or login attempts, incorrectly spelled names, or when someone is trying to access dead accounts.
But if you see Event ID 4776 – The domain controller attempted to validate the credentials for an account or The computer attempted to validate the credentials for an account, it provides you with some critical details regarding the sources of these attempts. In this post, we will discuss the significance of this message.
What is Event ID 4776?
Event ID 4776 is a log event in the Domain Controller (DC) or local SAM that has been used as the log-on server to verify the credentials of an account using NTLM (NT LAN Manager). This event is logged for Domain Controllers, workstations, and Windows servers. NTLM is the default verification system for local logon.
Each time there is a logon attempt on a domain controller it gets recorded in DC and once it authenticates the credentials (success/failure) via NTLM, it logs the Event ID 4776. Also, for a logon attempt via a local SAM account (server/workstation authenticates credentials), the event ID 4776 is logged on to the local machine.
Below are the elements included in the Event ID 4776:
- The authentication package – “MICROSOFT_AUTHENTICATION_PACKAGE_V1_0”.
- The Logon Account – Account name of the user or computer that attempted to log on. A logon account can also be a well-known security principle.
- The Source Workstation – This shows the client’s computer name that was used to create the logon.
- Error Code – This indicates whether the verification was a success or a failure. If the error code shows 0x0, this means that the credentials were successfully validated. If it’s not 0x0 then it means that the credentials were not validated. In this case, the field will show Authentication Failure – Event ID 4776 (F).
Event ID 4776, The computer attempted to validate the credentials for an account
While a failed attempt for an Event Log 4776 may not be a cause of worry always, sometimes, it could be a cause of concern, for example, a rainbow attack. In such a case, you can follow the below steps to troubleshoot the problem:
1] Windows Security Log Event ID 4776 validation via NTLM
If the validation is done through NTLM, you can find the user or the workstation easily.
2] Windows Security Log Event ID 4776 anonymous validation
But if the workstation tries to attempt logon from outside with no name, or if it appears to be a fake account, you must identify the source of the anonymous workstation. In this case:
- Install third-party tools like a packet sniffer on the domain controller to seize the traffic alongside these events. Or, you can use a network debugger or DCDiag to find the source.
- Check if you or the sys admin has the RDP (port 3389) open for users and that’s Kerberos to validate credentials. If the RDP is open, you can either use a firewall or a VPN to allow authorized attempts from outside.
3] Check the accompanying error code
The accompanying error code will indicate the direction you will have to troubleshoot.
|0xC0000064||The username you typed does not exist. Bad username.|
|0xC000006A||Account logon with a misspelled or bad password.|
|0xC000006D||– Generic logon failure.
Some of the potential causes for this:
An invalid username and/or password was used
LAN Manager Authentication Level mismatch between the source and target computers.
|0xC000006F||Account logon outside authorized hours.|
|0xC0000070||Account logon from unauthorized workstation.|
|0xC0000071||Account logon with expired password.|
|0xC0000072||Account logon to account disabled by the administrator.|
|0xC0000193||Account logon with expired account.|
|0xC0000224||Account logon with “Change Password at Next Logon” flagged.|
|0xC0000234||Account logon with account locked.|
|0xC0000371||The local account store does not contain secret material for the specified account.|
Here’s more about the Windows Security Log Event ID 4776 from Microsoft.
What is the difference between event ID 4776 and 4624?
Event ID 4776 indicates a failed login attempt due to an incorrect password or ID the account is locked, while Event ID 4624 indicates a successful login. You can see the Windows Security Log Event ID 4776 when the Domain Controller is accessible, while the 4624 occurs when credentials are reserved in the local machine or the system is unable to reach the Domain Controller.
What is the event ID for Kerberos authentication failure?
The Kerberos authentication error triggers the Event ID 4771. It registers a security audit log message in Windows that occurs when the user’s pre-validation attempt by the Kerberos fails. This message informs the user and the computer about the reason for the authentication failure.