locked
event ID 4625 RRS feed

  • Question

  • Windows Server 2012 Domain controller logging event ID 4625. Any ideas?

    Subject:
    Security ID: SYSTEM
    Account Name: Name of Server
    Account Domain: Name of Domain
    Logon ID: 0x3E7

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name:
    Account Domain:

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xC000006D
    Sub Status: 0xC0000064

    Process Information:
    Caller Process ID: 0x2f8
    Caller Process Name: C:\Windows\System32\lsass.exe

    Network Information:
    Workstation Name: Name of Server
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: Schannel
    Authentication Package: Kerberos
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    Wednesday, November 30, 2016 11:51 AM

Answers

  • Hi,

    Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. As you mentioned, it isn't coming from IIS based upon your testing, Could you let me know how you perform the test. Other useful information: Security ID: NULL SID: "A valid account was not identified". Sub Status: 0xC0000064. "User name does not exist".

    In addition, please check the Workstation Name, is the authentication request being submitted by or via the domain controller itself? Based on my research, normally the random event 4625 with type 3 (Network) is coming from network share, IIS, or other third party application. Do you have a security application running on the server, like an anti-virus software? You can perform a clean boot in the server to check if this event is related to a third party application:

    How to perform a clean boot in Windows

    https://support.microsoft.com/en-us/kb/929135

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by CHERRY012 Thursday, December 1, 2016 1:46 AM
    Wednesday, November 30, 2016 12:49 PM

All replies

  • Hi,

    Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. As you mentioned, it isn't coming from IIS based upon your testing, Could you let me know how you perform the test. Other useful information: Security ID: NULL SID: "A valid account was not identified". Sub Status: 0xC0000064. "User name does not exist".

    In addition, please check the Workstation Name, is the authentication request being submitted by or via the domain controller itself? Based on my research, normally the random event 4625 with type 3 (Network) is coming from network share, IIS, or other third party application. Do you have a security application running on the server, like an anti-virus software? You can perform a clean boot in the server to check if this event is related to a third party application:

    How to perform a clean boot in Windows

    https://support.microsoft.com/en-us/kb/929135

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by CHERRY012 Thursday, December 1, 2016 1:46 AM
    Wednesday, November 30, 2016 12:49 PM
  • ok, I will check and report back if the issue persists. Thanks!
    Thursday, December 1, 2016 1:47 AM
  • Hi,

    Feel free to post back if there is any further questions.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 1, 2016 5:31 AM