Forum Discussion
Suspected identity theft (pass-the-ticket) when switching LAN/WiFI
Hi,
I see this alert "Suspected identity theft (pass-the-ticket)" when a user switches from LAN to WiFi or back.
The laptop's DNS record has both IP addresses. I'm guessing Defender still thinks a different device is using the same Kerberos ticket.
How do you deal with that? Can you tune the alert somehow so that doesn't keep alerting?
Jan 16, 2025 4:15 PM
This Kerberos ticket was first observed on 1/16/25 4:15 PM on [Device Name] (Laptop IP1).
Jan 16, 2025 4:57 PM - Jan 16, 2025 4:57 PM
[Username] accessed [Server Name] (CIFS) from [Server IP] (Laptop IP2).
Thanks for your support
- EliOfek
Microsoft
This usually happens when NNR is blocked or partially blocked (ports not accessible or device is behind NAT).
I suggest to open a support ticket and the support team will know how to guide you and check what hte problem is and what needs to be done to fix it.
