AccessTrace AI
Log inCreate account
Sample Analysis Report

Windows / AD access denied

ACCESS · windows_ad · kerberos · ldap · policy · SAMPLE

ConfidenceHIGHSample assessment
Suspected Issue

Authentication and authorization evidence point to multiple access-layer problems

3 findings
What this is

This is an example report using sample evidence. It shows the kind of output AccessTrace generates after a user analyzes their own redacted evidence.

Analyze your own evidence
Sample report actions

Copy sample language

These actions show the kind of ticket and vendor language a saved report can produce.

Technical Findings

What AccessTrace would flag

1

Kerberos pre-authentication failure pattern detected

MEDIUMMEDIUM confidence

The evidence includes Kerberos pre-authentication failure indicators, often associated with stale credentials, wrong password material, or account synchronization timing.

Recommended remediation

Collect klist output, confirm the user can obtain a fresh TGT, and retest after full sign-out/sign-in.

Sample evidence
  • Event ID 4768 detected
  • Result Code 0x18 detected
2

Possible Kerberos SPN mismatch or missing SPN

HIGHHIGH confidence

The evidence suggests the service ticket request may be failing because the HTTP SPN is missing or registered to an old hostname.

Recommended remediation

Run setspn -Q for the exact service hostname, check duplicate SPNs, and align the app URL with the service account SPN.

Sample evidence
  • Service Name: HTTP/finance-app.example.edu
  • No such SPN found: HTTP/finance-app.example.edu
3

Authorization denied due to missing group

HIGHHIGH confidence

The app authorization log indicates the user authenticated but was denied because the expected AD group was missing.

Recommended remediation

Confirm required group, current memberOf values, nested-group handling, and whether the user refreshed their session after group changes.

Sample evidence
  • Required group: Finance-App-Users
  • Observed groups: Finance-App-ReadOnly, VPN-Users
Sample Generated Report

Troubleshooting narrative

Executive Summary The Windows/AD evidence suggests several access-layer issues: stale credential signs, possible Kerberos SPN misconfiguration, and missing application authorization group membership. Most Likely Root Cause The user may be hitting both authentication and authorization problems. Kerberos evidence points to possible SPN or stale credential issues, while application logs indicate the user lacks the required AD group. Recommended Next Step Collect klist output, setspn query results, current AD memberOf values, and application authorization logs around the failed timestamp.