Failed Login For Locked-Out Account

Failed Login For Locked-Out Account
alert trigger indicates that a revoked user account is trying to authenticate using Kerberos pre-authentication.


10 minutes
3 days
14 days
10 minutes
Traffic and Enhanced Application logs


A user account that has been revoked is trying to authenticate using Kerberos, in turn, failing the Kerberos pre-authentication phase (ticket-granting ticket or TGT).

Attacker's Goals

Authenticate using the principal in the TGT, not knowing that it has been revoked.

Investigative Actions

  • Check whether you have issues with your Directory Sync Services failing to sync data from Active Directory.
  • Check whether the attempt to use the principals (user accounts) specified in the alert are legitimate. For example, a user or a script that was not updated that the account has been revoked.
  • The lockout can be temporary, for example, in the case of too many login attempts, and may not be visible after the account was released. Search for Windows Event Log 4740 to ascertain whether the account was locked out during the time of the alert.

Recommended For You