Can't Login to Server; 4625 Audit Failure status 0xc0000413


  • Hi everyone,

    I'm having an issue trying to login to a server in a domain that we have a established a "Selective Authentication" trust with.  The servers in this domain are configured with the "BUILT-IN\ADMINISTRATORS" group having the "Allowed to Authenticate" right enabled.  We also have added another group that I am a member of added to them with the "Allowed to Authenticate" and "Read" rights enabled.  So I already know what needs to be configured to allow authentication to the specific computers.

    That all said, I can login to all of the servers in this domain (DCs included) with the exception of the Exchange 2010 server out there (running Windows 2008 R2).  The issue occurs if I am trying to login to the console or via RDP.  All of the servers are running either Server 2008 R2 or Server 2012 R2.  I used to be able to until this past Monday and now I am not allowed to (the Authentication Firewall is referenced as the reason).  The Security Log contains the following information:

    An account failed to log on.
    	Security ID:		SYSTEM
    	Account Name:		EXCHANGE01$
    	Account Domain:		SUB
    	Logon ID:		0x3e7
    Logon Type:			10
    Account For Which Logon Failed:
    	Security ID:		NULL SID
    	Account Name:		pnewell
    	Account Domain:		DOMAIN.LOCAL
    Failure Information:
    	Failure Reason:		An Error occured during Logon.
    	Status:			0xc0000413
    	Sub Status:		0x0
    Process Information:
    	Caller Process ID:	0x1308
    	Caller Process Name:	C:\Windows\System32\winlogon.exe
    Network Information:
    	Workstation Name:	EXCHANGE01
    	Source Network Address:
    	Source Port:		60837
    Detailed Authentication Information:
    	Logon Process:		User32 
    	Authentication Package:	Negotiate
    	Transited Services:	-
    	Package Name (NTLM only):	-
    	Key Length:		0
    This event is generated when a logon request fails. It is generated on the computer where access was attempted.
    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
    The Process Information fields indicate which account and process on the system requested the logon.
    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    The authentication information fields provide detailed information about this specific logon request.
    	- Transited services indicate which intermediate services have participated in this logon request.
    	- Package name indicates which sub-protocol was used among the NTLM protocols.
    	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    event ID 4625 Audit Failure

    I need to point out that above it states "DOMAIN.LOCAL".  I always login as "DOMAIN\pnewell" or "pnewell@DOMAIN.LOCAL" (both of which fail), never as "DOMAIN.LOCAL\".  I mention this because when my RDP session fails it brings up the login window for DOMAIN.LOCAL\pnewell instead of just DOMAIN\pnewell. 

    Does anyone have any thoughts on what is going on here? Again, I can RDP into the other servers with my trusted credentials without issue, it's just the Exchange server that is blocking me (though I can login as the local domain administrator).

    Additional information:
    My source domain (listed as "DOMAIN" above) is a single-domain forest (2008 R2 DCs with 2008 R2 Forest and Domain functional levels).  The server I am trying to login to is in the child domain (SUB) of a root domain (ROOT) in this separate forest.  All DCs in this separate forest are running 2012 R2 with the forest and domain functional levels at 2012 R2. 

    The only change I can think of that would have happened was that I moved the FSMO roles for the SUB domain to the DC that is local to the users (two separate sites).  There was no reason to keep the FSMO roles on the DC located at my home office data center when the actual users are on a different continent (though the forest-level FSMO roles are on the root domain DC, which is located here). 

    Any insight that can be provided is welcome. 
    Thanks in advance!

    Wednesday, May 07, 2014 10:35 PM


  • Hi Vivian,

    Thanks, but those links don't seem to help much either.  The first link (while a good find!) doesn't apply to my situation (also occurs on the local console and the RDP options are set as mentioned in the article). 

    The other links pertain to Exchange itself, not the OS.  My issue is with the OS. 

    Again, things are working.  Not the same way that they are with the other servers, but it does work. 

    Wednesday, May 28, 2014 7:26 PM

All replies