Why Aren’t Kerberos Event IDs 201-209 Appearing in My System Log?

By
Anthony Fisher
-
0
122
Asked By TechieTinker123 On

I recently updated my Domain Controllers with the latest cumulative updates, and now I'm not seeing any Kerberos-related system event log entries for Event IDs 201-209. However, I do see Kerberos events in the Security log, particularly Event ID 4769. Is this the expected behavior?

For some context, the registry key `HKEY_LOCAL_MACHINESystemCurrentControlSetServicesKDCDefaultDomainSupportedEncTypes` is not defined on the Domain Controllers. Also, the Kerberos encryption types are only configured through Group Policy under 'Network security: Configure encryption types allowed for Kerberos,' and I've included settings for RC4_HMAC_MD5, AES128_HMAC_SHA1, and AES256_HMAC_SHA1. I know that Event IDs 201-209 are related to Kerberos AES transition auditing, so I'm wondering if it's normal not to see these events in the System log when I still have Kerberos ticket events logged as 4769 in the Security log. Are there any additional audit policies or registry settings required to enable the logging of events 201-209?

4 Answers

Answered By EventChaser90 On

I’m in a similar boat, actually trying to trigger those 201-209 events myself. I set my local policy to allow only RC4. When checking the tickets, I see them as RC4 in Event ID 4769, but those 201-209 events still aren’t popping up.

Answered By SecurityNerd_88 On

It seems like the 201-209 events are Microsoft's way of notifying about potential encryption upgrades, but they’ve stopped logging them because they felt it wasn't that crucial. As long as you see Event ID 4769, which indicates ticket usage, you’re probably in the clear.

Answered By AuditAce57 On

You may not see events 201-209 unless the client machines are completely bypassing AES or if certain settings are off. Since you’ve got supported OS versions and both RC4 and AES allowed, it’s fine. Just keep monitoring Event ID 4769 for encryption details.

Answered By JustCheckinIn On

No 201-209 events probably means good news for you! It suggests there’s no RC4 currently in your setup, which is what you want going forward.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.