In my organization, we use a domain service account for our agent's "Set Credential". We've recently noticed that we've got an extremely high Kerberos authentication for this service account on the DCs. The logs are maxing out in under an hour, and we've got 2000+ endpoints.
This is something that we've just noticed. My question is mostly about when the agent uses the credential. Is it for any procedure that it runs? (Audit/KSDU/Patch Scan) etc? Or do only certain procedures use the credential set.
We're just trying to get to the bottom of it.
Thanks for any insight!
Can you tell if it happens at any specific time, what is the number of authentication requests per computer and if it is coming from any specific computer in the network?.
It could be that one of the procedures are stuck in a loop or has a high re-occurring rate.
Once you have identified a machine you could look at the "Pending Procedure" for that computer and see if any of the pending procedures have high re-occurring rate.
Same thing for me, logs ares filed in hour 200000 request on one domain controler for kerberos auth and some computers doing 10 kerberos authentication request each seconds. will take a look for stuck procedure.