Forum Discussion

justletmelogin50's avatar
justletmelogin50
Brass Contributor
Jun 23, 2026

Event 4768 for one user

Hi all,

We have two domain controllers running server 2019 with Domain Functional Level 2016.

We have one user who has been with us for almost a year, and they were suddenly getting a message in the last week that username or password were incorrect even though we confimed they were not.  They were able to initally switch to another user and re-enter their username and log in, but now it won't allow that.

On the domain controller I see events for the user Audit Failure 4768 with Result Code 0x6.  This result suggests the username doesn't exist which isn't true.  The account isn't being locked.

Has anyone seen this before and know what the issue might be?

thanks

jm

Active Directory

1 Reply

  • kyazaferr's avatar
    kyazaferr
    MCT
    Jun 25, 2026

    Event ID 4768 with Result Code 0x6 (KDC_ERR_C_PRINCIPAL_UNKNOWN) indicates that the Key Distribution Center (KDC) could not locate the client principal specified in the Kerberos AS-REQ. Although this often means "user not found", it can also occur when the account exists but Kerberos is receiving an unexpected or incorrect identity.

     

    Since the user was able to log on previously and this started only recently, I would check the following:

     

    Verify the account actually exists on the DC processing the request

    Get-ADUser username

     

    Also verify:

     

    Account is enabled

    Account has not expired

    UserPrincipalName (UPN) is correct

    sAMAccountName hasn't been modified

    Check which Domain Controller is handling the authentication

     

    If only one DC returns Event 4768 with 0x6, compare AD replication:

     

    repadmin /replsummary

    repadmin /showrepl

    dcdiag /test:Advertising

     

    A replication issue could cause one DC to have stale directory information.

     

    Verify the workstation is using only AD DNS servers

     

    Incorrect DNS (public DNS, stale records, VPN DNS, etc.) can cause the client to contact the wrong KDC.

     

    ipconfig /all

    nltest /dsgetdc:<domain>

    Look at the 4768 event details

     

    Pay particular attention to:

     

    Client Address

    Target User Name

    Supplied Realm Name

    Certificate Information (if Smart Card authentication is used)

     

    Sometimes the client is actually sending an incorrect UPN or realm.

     

    Check for duplicate UPNs

     

    A duplicate UPN can also cause Kerberos lookup issues.

     

    Get-ADUser -Filter * -Properties UserPrincipalName |

    Group-Object UserPrincipalName |

    Where-Object Count -gt 1

    Test with another workstation

     

    If the user can authenticate from another computer, the problem is likely local to the original workstation (cached credentials, Kerberos cache, DNS, or machine secure channel).

     

    You can also clear the Kerberos cache:

     

    klist purge

     

    or verify the secure channel:

     

    Test-ComputerSecureChannel -Verbose