Suspected Golden Ticket usage (nonexistent account) from Mac Machines ( monterey beta)

Copper Contributor

recently we started seeing "Suspected Golden Ticket usage (nonexistent account)" alerts from Mac machines which running on monterey beta version. 

 

Based on our investigation this getting triggered when user tries to authenticate using enterprise connect on monterey OS. username SOMEDOMAIN.COM\WELLKNOWN/ANONYMOUS@SOMEDOMAIN.COM

 

Anyone else experiencing this.? 

 

 

 

 

2 Replies
We are seeing this in our environment as well. Trying to get guidance from Microsoft on the proper course of action. This WELLKNOWN principal appears to be used for Anonymous PKINIT according to the K5 Wiki (https://k5wiki.kerberos.org/wiki/Anonymous_kerberos)