My boss just noticed these being logged in ExtraHop and wants me to investigate.
Everything I’ve read about this indicates that it is normal operation for Kerberos. Via Microsoft itself…
"KDC_ERR_PREAUTH_REQUIRED is returned on the initial Kerberos AS request. By default, the Windows Kerberos Client is not including pre-authentication information in this first request. The response contains information about the supported encryption types on the KDC, and in case of AES, the salts to be used to encrypt the password hashes with.
Recommendation: Always ignore this error code."
My boss doesn’t accept that explanation and wants me to find out why it is suddenly happening so I’m in a bit of a pickle. Is it really something that could indicate that a brute force attempt is happening? On one account it has happened 460 times in the last 6 hours but considering it’s a very active service account that is probably constantly in use that doesn’t seem like an unusually high number of attempts. Not to mention the account hasn’t been locked out during the entire time or even had a single bad password attempt. I have a lockout tool that can check for that.
Sooooooo… Can anyone advise me here? What can I tell my boss that would satisfy him? Is it possible to just turn logging for this particular error off in ExtraHop?
I am not the ExtraHop admin and do not have access to the ExtraHop console.