Premises: in Azure Virtual network gateway using the point-to-site configuration I setup a VPN connection using Azure certificate as authentication type; Certificates are generated locally, installed on Windows box; their names are P2SRootCert and P2SChildCert
I download the VPN Client from Azure and installed it on Windows box (that is connected to a domain controller).
As expected the the VPN connection works correctly however, the Windows Security Event category on the domain controller gets flooded with 4768: A Kerberos authentication ticket (TGT) was requested.
Stopping the VPN connection stops the above events; the frequency is every 30-50 seconds per event;
The request is using the generated X509N:<S>CN=P2SClientCert username derived from the client certificate and it is obviously failing with the "Bad username" 0x6 - status.
Here is a sample of the offending event (slightly edited for brevity and anonymity; 192.168.50.64 is my computer local IP address on the NIC connected to the DC)
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4768</EventID>
...
<Channel>Security</Channel>
<Computer>DC01.mydomain.com</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">X509N:<S>CN=P2SClientCert</Data>
<Data Name="TargetDomainName">MYDOMAIN.COM</Data>
<Data Name="TargetSid">S-1-0-0</Data>
<Data Name="ServiceName">krbtgt/MYDOMAIN.COM</Data>
<Data Name="ServiceSid">S-1-0-0</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x6</Data>
<Data Name="TicketEncryptionType">0xffffffff</Data>
<Data Name="PreAuthType">-</Data>
<Data Name="IpAddress">::ffff:192.168.50.64</Data>
<Data Name="IpPort">51683</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>
Question: How can I stop the events from happening?
