There are many reasons to enabling “Kerberos service ticket operations” on the member computer. some of them are below.
- To very user and services are authenticating correctly
- Unauthorized attempts detection
- Regulatory frameworks and security standards, such as PCI-DSS or NIST, require the auditing of authentication events for compliance
- Troubleshooting Kerberos authentication problems
- Compliance requirement
this also supports during forensic ingestion if there any incident happened within the organization.
In this article you will learn, How to enable audit of Kerberos service ticket operations step by step.
Open Group Policy Object and create an unconfigured group policy under the “Group Policy Objects” Section. Select the policy you recently created and right click on it to edit. Go to Edit

here you are configuring this policy for the computers, due to which to Computer configuration -> Policies -> Windows Settings -> Security Settings ->Advance Audit Policy Configuration ->Audit Policies -> Account Logon

Double click on “Audit Kerberos Service Ticket Operations” click on “Configure the following audit events” check both Success and failure. click on OK

verify again if the changes made properly as shown in the below image

Policy has been configured and now you require to link this new configured group policy to desired OU.
right click on your desired OU and click on Link an existing GPO

Select your GPO “Enable audit Kerberos service ticket operations is set to success and failure“

Once linking is done on group policy blade, open command and run gpupdate on your domain controller. after few minutes policy would applied on computer list within specified OU.
Open cmd with privileged user on your member computer and run the below command to check if the polices has been applied or not.
gpresult /r /scope computer
Conclusion!!
in this article you understood, how to how and why to configure ” Kerberos service ticket operations” in the member computer. in the next article you will learn how to Audit removal storage for the domain member computers.