Windows Server Security Event 4649

Windows Server Security Event 4649:

A replay attack was detected.

Subject:
Security ID: %1
Account Name: %2
Account Domain: %3
Logon ID: %4

Credentials Which Were Replayed:
Account Name: %5
Account Domain: %6

Process Information:
Process ID: %12
Process Name: %13

Network Information:
Workstation Name: %10

Detailed Authentication Information:
Request Type: %7
Logon Process: %8
Authentication Package: %9
Transited Services: %11

This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration.

Leave a Reply

Your email address will not be published. Required fields are marked *