Kerberos TGT (4768) granted while logon fails 4625

%3CLINGO-SUB%20id%3D%22lingo-sub-2493830%22%20slang%3D%22en-US%22%3EKerberos%20TGT%20(4768)%20granted%20while%20logon%20fails%204625%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2493830%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20needs%20some%20guidance.%20Have%20a%20svc%20account%20where%20the%20logon%20fails%20with%20a%204625%20%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFailure%20Reason%3A%20The%20user%20has%20not%20been%20granted%20the%20requested%20logon%20type%20at%20this%20machine.%3CBR%20%2F%3EStatus%3A%200xC000015B%3CBR%20%2F%3ESub%20Status%3A%200x0%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20sub-status%20says%20OK%3F!!%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20the%204768%20(TGT)%20is%20granted!%26nbsp%3B%3C%2FP%3E%3CP%3E%22Additional%20Information%3A%3CBR%20%2F%3ETicket%20Options%3A%200x40810010%3CBR%20%2F%3EResult%20Code%3A%200x0%3CBR%20%2F%3E'If%20TGT%20issue%20fails%20then%20you%20will%20see%20Failure%20event%20with%20Result%20Code%20field%20not%20equal%20to%20%E2%80%9C0x0%E2%80%9D'%3CBR%20%2F%3ETicket%20Encryption%20Type%3A%200x12%3CBR%20%2F%3EPre-Authentication%20Type%3A%202%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ecan%20someone%20please%20lift%20the%20fog%20of%20confusion%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20a%20service%20account%20get%20a%20tgt%20(and%20a%20tgs)%20when%20the%20login%20is%20declined%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Visitor

Hi, needs some guidance. Have a svc account where the logon fails with a 4625 :

 

Failure Reason: The user has not been granted the requested logon type at this machine.
Status: 0xC000015B
Sub Status: 0x0

 

The sub-status says OK?!!?

 

Also, the 4768 (TGT) is granted! 

"Additional Information:
Ticket Options: 0x40810010
Result Code: 0x0
'If TGT issue fails then you will see Failure event with Result Code field not equal to “0x0”'
Ticket Encryption Type: 0x12
Pre-Authentication Type: 2"

 

can someone please lift the fog of confusion?

 

How can a service account get a tgt (and a tgs) when the login is declined?

 

Thank you

 

0 Replies