Operating Systems | Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10 Windows Server 2019 and 2022 |
Category • Subcategory | Account Logon • Credential Validation |
Type | Success Failure |
Corresponding events in Windows 2003 and before | 680 , 681 |
4776: The domain controller attempted to validate the credentials for an account
On this page
- Description of this event
- Field level details
- Examples
- Discuss this event
- Mini-seminars on this event
Despite what this event says, the computer is not necessarily a domain controller; member servers and workstations also log this event for logon attempts with local SAM accounts.
When a domain controller successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.
For Kerberos authentication see event 4768, 4769 and 4771.
This event is also logged on member servers and workstations when someone attempts to logon with a local account.
Authentication Package: Always "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"
Logon Account: name of the account
Source Workstation: computer name where logon attempt originated
Free Security Log Resources by Randy
- Free Security Log Quick Reference Chart
- Windows Event Collection: Supercharger Free Edtion
- Free Active Directory Change Auditing Solution
- Free Course: Security Log Secrets
Description Fields in 4776
Error Code:
C0000064 | user name does not exist |
C000006A | user name is correct but the password is wrong |
C0000234 | user is currently locked out |
C0000072 | account is currently disabled |
C000006F | user tried to logon outside his day of week or time of day restrictions |
C0000070 | workstation restriction |
C0000193 | account expiration |
C0000071 | expired password |
C0000224 | user is required to change password at next logon |
C0000225 | evidently a bug in Windows and not a risk |
Supercharger Enterprise
Examples of 4776
The domain controller attempted to validate the credentials for an account.
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: administrator
Source Workstation: WIN-R9H529RIO4Y
Error Code: 0xc0000064
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection
Mini-Seminars Covering Event ID 4776
- Security Log Exposed: What is the Difference Between “Account Logon” and “Logon/Logoff” Events?
- Insider Gone Bad: Tracking Their Steps and Building Your Case with the Security Log
- 27 Most Important Windows Security Events
- Daily Security Log Check for the SMB IT Admin
- How to do Logon Session Auditing with the Windows Security Log
- Anatomy of an Attack: How Password Spraying Exploits Weak Passwords So Effectively
- 4 Threat Detections using Active Directory Authentication Events from the Windows Security Log
- Understanding Active Directory Authentication Events in the Windows Security Log and Beyond
- Security Log Deep Dive: Mapping Active Directory Authentication and Account Management Events to MITRE ATT&CK TTPs
- Detecting and Preventing AD Authentication Risks: Golden Tickets, NTLM, Pass-the-Hash and Beyond
- Top 10 Windows Security Log Events to Monitor to Detect Lateral Movement
Upcoming Webinars Additional Resources
03/26/2020 74 People found this article helpful
Description
Configuration of DC Security Logs and Troubleshooting
Cause
Windows Server uses the DC Security Log to record logon/logoff events and/or other security-related events specified by the system's audit policy. If the audit policy is set to record logins, a successful domain login records the user's user name and computer name in the Security Log. On Windows Server 2003 and above, the computer’s IP address is also logged.
Resolution
To configure the DC Security Log method in Directory Services Connector, perform the following steps:
Step 1: In the Directory Connector Configuration Tool, right-click SonicWall SSO Agent in the left pane.
Step 2: Select Properties.
Step 3: In the right pane in the Query Source field, select one of the following options:
- DC Security Log
- DC Security Log + NETAPI
- DC Security Log + WMI
- DC Security Log + WMI + NETAPI
Step 4: Select the desired number of seconds for the Event Polling Time fields
The Event Polling Time option is visible only if one of the DC Security Log options is selected in the Query Source field. The SSO Agent fetches event logs from the Domain Controller on a regular time interval to discover updated user information. The Event Polling Time option provides a way to specify this interval. The minimum is 5 seconds, and the maximum is 300 seconds, with a default of 10 seconds.
Step 5: To save information about previously identified users when the SSO Agent service is restarted, select the preserve users during service restart checkbox.
Upon restarting the SSO Agent service, the user information is restored. Because the SSO Agent must be restarted for properties changes to take effect, this allows the agent to maintain current user information across these restarts. To avoid restoring outdated information, if the backup is older than 15 minutes, the information is not restored.
If this option is unchecked when using DC Security Log, the user information is not saved during a service restart. When the next user information request comes in for a previously logged in user, the DC logs are checked, but there is no new logon event and so the user is not identified. If Query Source is set to DC Security Log only, the SSO Agent will send no user information to the appliance. If Query Source is set to DC Security Log with NETAPI or WMI, the agent will do a NETAPI or WMI query to the user PC to identify the user.
Step 6: Next, configure the Domain Controller information in the Directory Connector Configurator, including the IP address of the DC, the administrator account, and the password.
Step 7: Configuring the Domain Controller Information. Only machines configured with a Domain Controller role can be set as the domain controller in the Directory Connector Configurator. In the Directory Connector Configuration Tool, right-click Domain Controller in the left pane.
Step 8: Select Add.
Step 9: In the right pane on the Edit tab, type the DC IP address into the IP Address
field.
Step 10: In the Administrator User field, enter the domain and admin user name separated by a backslash, such as “snwladministrator”.
Step 11: In the Administrator Password field, type in the password for the admin user.
Step 12: In the Initial Fetch Time field, select the time of day for the SSO Agent to begin service startup and fetch event logs from the Domain Controller for the first time. All event logs are fetched before the SSO Agent service is started.
Step 13: To test the
connection to the Domain Controller using the IP address and user credentials, click Test Connection. If the IP address does not belong to a machine with a role of Domain Controller, the Configurator will not accept the configuration and an error message is
displayed.
Step 14: If the IP address belongs to a machine with a role of Domain Controller, no error is displayed. Click OK.
Step 15: Repeat this procedure to add another Domain Controller.
Setting Group Policy to Enable Logon Audit on Windows Server 2008
Logon audit may need to be enabled on the Windows Server machine. To enable logon audit on Windows Server 2008, perform the following steps:
1. Start the Group Policy Management Console.
2. Browse to the following location: Domain Name > Domains > Domain Name > Group Policy
Objects, where "Domain Name" is replaced with your domain.
3. Under Group Policy Objects, right-click on Default Domain Policy and select Edit.
The Group Policy Management Editor window is displayed.
4. Double-click on Audit account logon events and select Success. Click OK.
5. Double-click on Audit logon events and select Success. Click OK.
6.
Double-click on Audit Directory Service Access and select Success. Click OK.
7. Double-click on Audit Object Access and select Success. Click OK.
8. Close the Group Policy window.
Setting Group Policy to Enable Logon Audit on Windows Server 2003
By default, logon audit is disabled on Windows Server 2003. To enable logon audit on Windows Server 2003, perform the following steps:
1. Start the Group Policy Management Console.
2. Browse to the
following location: Domain Name > Domains > Domain Name > Group Policy Objects, where "Domain Name" is replaced with your domain.
3. Right-click on Group Policy Objects and select New.
4. Give your policy a name and click OK.
5. Expand the Group Policy Objects folder and find your new policy. Right-click on the policy and select Edit...
6. Browse to the following location: Policy Name > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.
7. Left click on Audit Policy. The policy settings are displayed in the right
pane.
8. Double-click on Audit account logon events and select Success. Click OK.
9. Double-click on Audit logon events and select Success. Click OK.
10. Double-click on Audit Directory
Service Access and select Success. Click OK.
11. Close the Group Policy window.
How to Test:
This should list all logged users currently on your domain
If the above does not return any results Kindly confirm the Server settings and Event Viewer Security logs if the user is logged on as SonicWall only displays/uses for authentication what information it gets from the Domain Controller.
If you are using Advanced Auditing please use the following article for GPO configuration:
DC Security Logs with Advanced Auditing
Related Articles
- How to activate and configure Anti-Spam feature in SonicWall firewalls
- DHCP on NSv deployments in Azure
- How to configure Link Aggregation
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series