locked
Event ID: 4625 NULL SID Error RRS feed

  • Question

  • I got the error after having the windows updates KB3000850 for my windows 2012 r2 server

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          12/03/2015 2:10:56 PM
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      COMPUTERNAME.DOMAIN.COM
    Description:
    An account failed to log on.

    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: USERNAME
    Account Domain: DOMAINNAME

    Failure Information:
    Failure Reason: An Error occured during Logon.
    Status: 0xC000006D
    Sub Status: 0x0

    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -

    Network Information:
    Workstation Name: COMPUTERNAME
    Source Network Address: X.X.X.X
    Source Port: 49576

    Detailed Authentication Information:
    Logon Process: NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4625</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12544</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2015-03-12T06:10:56.555991200Z" />
        <EventRecordID>780087</EventRecordID>
        <Correlation />
        <Execution ProcessID="640" ThreadID="3328" />
        <Channel>Security</Channel>
        <Computer>COMPUTERNAME.DOMAIN.COM</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data>
        <Data Name="SubjectUserName">-</Data>
        <Data Name="SubjectDomainName">-</Data>
        <Data Name="SubjectLogonId">0x0</Data>
        <Data Name="TargetUserSid">S-1-0-0</Data>
        <Data Name="TargetUserName">USERNAME</Data>
        <Data Name="TargetDomainName">DOMAINNAME</Data>
        <Data Name="Status">0xc000006d</Data>
        <Data Name="FailureReason">%%2304</Data>
        <Data Name="SubStatus">0x0</Data>
        <Data Name="LogonType">3</Data>
        <Data Name="LogonProcessName">NtLmSsp </Data>
        <Data Name="AuthenticationPackageName">NTLM</Data>
        <Data Name="WorkstationName">COMPUTERNAME</Data>
        <Data Name="TransmittedServices">-</Data>
        <Data Name="LmPackageName">-</Data>
        <Data Name="KeyLength">0</Data>
        <Data Name="ProcessId">0x0</Data>
        <Data Name="ProcessName">-</Data>
        <Data Name="IpAddress">X.X.X.X</Data>
        <Data Name="IpPort">49576</Data>
      </EventData>
    </Event>

    After the updates i encounter the issue

    1) on domain computer unable open the sharing by using \\serveripaddress, the login dialog to enter network password will be prompt out with logon failure: unknown username or bad password 
    above event id 4625 audit failure will be generate in server event logs

    but it can be open the sharing by using \\servercomputername sucessfully


    2) The server host a hyper-v machine, windows updates KB3000850 caused the logon issues thru remote desktop

    above issues occur after having windows updates KB3000850, anyone having the same issues?

    I can't find any solution, it goes fine after uninstall windows updates KB3000850...

    

    Friday, March 13, 2015 2:19 AM

Answers

  • By the grace of God stumbled on the solution.  KB3002657 was installed on the domain controllers recently - removing that update solved it!


    • Proposed as answer by MSchaper Friday, March 13, 2015 1:03 PM
    • Marked as answer by weiherd Tuesday, March 17, 2015 2:53 AM
    Friday, March 13, 2015 6:44 AM

All replies

  • I'm having the same problem, just started yesterday.  From my Win7 machine I can remote into Win2003 server but not Win2008.  Happening consistently on multiple servers.

    I've rolled back my Win7 machine to end of Feb. and no luck.

    Weird thing is if I remote into a Win2008 server from a Win2003 server it works.  And then I can also remote into that same server from my Win7 machine.  But only works if a logon session already exists for my user ID.

    Friday, March 13, 2015 3:48 AM
  • By the grace of God stumbled on the solution.  KB3002657 was installed on the domain controllers recently - removing that update solved it!


    • Proposed as answer by MSchaper Friday, March 13, 2015 1:03 PM
    • Marked as answer by weiherd Tuesday, March 17, 2015 2:53 AM
    Friday, March 13, 2015 6:44 AM
  • I had this same issues after the updates March 10 2015.Mine is windows 2003 Domain and 2008 R2 Terminal server. No one were able to login to the terminal server.

    The only option worked for me is after uninstalling the update  KB3002657 - This fixed

    This did not work for me.

    >> Computer Configuration >> Windows Settings >> Local Polices >> Security Options >>Network Security: LAN Manager authentication level >> Send LM & NTLM responses


    • Edited by BN04 Friday, March 13, 2015 1:25 PM
    • Proposed as answer by DRD4 Friday, March 13, 2015 1:34 PM
    Friday, March 13, 2015 1:21 PM
  • By the grace of God stumbled on the solution.  KB3002657 was installed on the domain controllers recently - removing that update solved it!


    By the grace of God indeed- thank you so much.

    My outside users who went through our firewall to network shares, and logged in with a local AD account, lost connectivity. So did we for RDP 'ing into our PCs over the VPN. It would say invalid password for all. Rolling back this update on both of my domain controllers worked like a charm!!!

    I googled

    NULL SID 

    0xC000006D

    Putting that here so that others may stumble upon this gem of a save too.

    • Edited by RnRFun Friday, March 13, 2015 7:55 PM
    Friday, March 13, 2015 7:51 PM
  • Thank you! Yanking 30002657 worked for one of my clients too. AD is a 2003 server, terminal server is 2008 R2. RDP would work with the admin account, but not the users.

    It was also affecting SQL authentications. When running the ODBC connection wizard, we would get:

    Connections failed:
    SQLState: '28000'
    SQL Server Error: 18452
    [Microsoft][SQL Native Client][SQL Server]Login failed for user ''. The user is not associated with a trusted SQL Server connection.

    Note that after user there is no user name listed, only two single-quotes.

    EDIT: The SQL instance was already set for Mixed Mode Authentication, which further hindered the diagnosis.


    • Edited by JRBlood Friday, March 13, 2015 9:06 PM
    Friday, March 13, 2015 8:38 PM
  • Hi,

    I can confirm that the solution posted by maximtech solved the problem.
    KB3002657 definitely is the culprit. Thank you very much!

    As an additional question, does someone know how I can disable a single update from being installed automatically? Atm I was forced to disable automatic install of updates due to the bug in KB3002657.

    Take care,
    Martin

    Monday, March 16, 2015 7:43 AM
  • i had installed back KB3000850 and uninstalled KB3002657 this worked for me, thanks
    Tuesday, March 17, 2015 2:55 AM
  • The version 2 of the update worked for me after uninstalling the original, BTW
    Wednesday, March 18, 2015 1:19 PM
  • I've been searching for a week.  Thanks for tracking this down and posting the answer.  Removing KB3002657 did the trick for me.
    Wednesday, March 25, 2015 10:58 PM
  • Hi Guys,

    Here is a similar thread below which contains another workaround for you:

    Active Directory Won't Authenticate to anything! Help!
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/d39d0e4d-41e5-4979-bf43-1c54700c3e6f/active-directory-wont-authenticate-to-anything-help?forum=winserverDS

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 30, 2015 3:17 AM
  • Thank you.  Worked like a champ.

    Plaid

    Wednesday, June 10, 2015 12:17 PM