locked
Audit Failure - Event 4625 RRS feed

  • Question

  • I am getting thousands of these failures a day. Any thoughts on what could be causing it.

    An account failed to log on.
    
    Subject:
    	Security ID:		SYSTEM
    	Account Name:		MSG-SERVER$
    	Account Domain:		MSG-NET
    	Logon ID:		0x3e7
    
    Logon Type:			3
    
    Account For Which Logon Failed:
    	Security ID:		NULL SID
    	Account Name:		
    	Account Domain:		
    
    Failure Information:
    	Failure Reason:		Unknown user name or bad password.
    	Status:			0xc000006d
    	Sub Status:		0xc0000064
    
    Process Information:
    	Caller Process ID:	0x1f0
    	Caller Process Name:	C:\Windows\System32\lsass.exe
    
    Network Information:
    	Workstation Name:	MSG-SERVER
    	Source Network Address:	-
    	Source Port:		-
    
    Detailed Authentication Information:
    	Logon Process:		Schannel
    	Authentication Package:	Kerberos
    	Transited Services:	-
    	Package Name (NTLM only):	-
    	Key Length:		0
    
    This event is generated when a logon request fails. It is generated on the computer where access was attempted.
    
    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    
    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
    
    The Process Information fields indicate which account and process on the system requested the logon.
    
    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    
    The authentication information fields provide detailed information about this specific logon request.
    	- Transited services indicate which intermediate services have participated in this logon request.
    	- Package name indicates which sub-protocol was used among the NTLM protocols.
    	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    Wednesday, February 19, 2014 3:19 PM

Answers

  • Do you have anything attempting to connect to an SSL based website on your server, or, is your server attempting to connect to an SSL based website?

    Usually an SChannel error will be something like that.

    Can you check in IIS that all the websites that have a binding for HTTPS have a certificate assigned?


    Robert Pearman SBS MVP
    itauthority.co.uk | Title(Required)
    Facebook | Twitter | Linked in | Google+

    • Proposed as answer by Justin Gu Friday, February 21, 2014 6:04 AM
    • Marked as answer by Justin Gu Tuesday, March 4, 2014 10:32 AM
    Wednesday, February 19, 2014 8:11 PM
  • Hi,

    Would you please let me confirm if this event occurred in SBS 2011 Essentials, or other Windows Server environment?

    I suggest that you should refer to the following article firstly. It will help you to understand this event 4625 better.

    Description Fields in 4625

    Please use the antivirus to scan and make sure all the machines are well protected. Meanwhile, please refer to the following solved question and check if can help you to solve this issue.

    Loopback Security Check Feature IIS 7

    http://blogs.msdn.com/b/jiruss/archive/2008/10/21/loopback-security-check-feature-iis-7.aspx

    Hope this helps.

    Best regards,

    Justin Gu

    • Marked as answer by Justin Gu Tuesday, March 4, 2014 10:32 AM
    Friday, February 21, 2014 6:04 AM

All replies

  • Do you have anything attempting to connect to an SSL based website on your server, or, is your server attempting to connect to an SSL based website?

    Usually an SChannel error will be something like that.

    Can you check in IIS that all the websites that have a binding for HTTPS have a certificate assigned?


    Robert Pearman SBS MVP
    itauthority.co.uk | Title(Required)
    Facebook | Twitter | Linked in | Google+

    • Proposed as answer by Justin Gu Friday, February 21, 2014 6:04 AM
    • Marked as answer by Justin Gu Tuesday, March 4, 2014 10:32 AM
    Wednesday, February 19, 2014 8:11 PM
  • Robert,

    Thanks for your response. You'll have to excuse me because I am pretty green when it comes to working in a server environment. I am not sure how to check if I have anything attempting to connect to an SSL based website. As for the bindings, I believe I was able to go in and look at each of those and then did have valid certificates installed.

    Thanks for your help. Any further help would be greatly appreciated.

    Thursday, February 20, 2014 3:03 AM
  • Do you have any third party software installed on the server?

    Anything else enabled on the server like WSUS?


    Robert Pearman SBS MVP
    itauthority.co.uk | Title(Required)
    Facebook | Twitter | Linked in | Google+

    Thursday, February 20, 2014 11:06 AM
  • may this hotfix be helpful...

    http://support.microsoft.com/default.aspx?scid=kb;en-us;2157973

    Best,

    Howtodo

    Thursday, February 20, 2014 4:59 PM
  • Hi,

    Would you please let me confirm if this event occurred in SBS 2011 Essentials, or other Windows Server environment?

    I suggest that you should refer to the following article firstly. It will help you to understand this event 4625 better.

    Description Fields in 4625

    Please use the antivirus to scan and make sure all the machines are well protected. Meanwhile, please refer to the following solved question and check if can help you to solve this issue.

    Loopback Security Check Feature IIS 7

    http://blogs.msdn.com/b/jiruss/archive/2008/10/21/loopback-security-check-feature-iis-7.aspx

    Hope this helps.

    Best regards,

    Justin Gu

    • Marked as answer by Justin Gu Tuesday, March 4, 2014 10:32 AM
    Friday, February 21, 2014 6:04 AM
  • Same issue on Server 2012 R2 Essentials.

    You can create the audit failure on demand by simply opening the Dashboard.

    Must be a bug.

    Wednesday, December 3, 2014 9:54 PM
  • It's happening to me on Server 2012 R2 w/ Essentials role.  As you said, it will generate (in addition to the many other times) by opening the Dashboard.  Any solution?

    Charles H. Rube Creative Technology Designs

    Tuesday, June 16, 2015 4:26 AM
  • We have run into this same issue at multiple client sites when Windows Server Essentials is installed or used. We found a scheduled task named Alert Evaluations under Windows Server Essentials that was running every 30 minutes and generating the errors in the event logs. I suspect it somehow cached credentials from when the role was added to the server, so perhaps clearing out any cached credentials may also fix this issue. Disabling the Alert Evaluations task in Task Scheduler resolved the problem for us in several cases.
    Friday, July 8, 2016 4:15 PM
  • We are experiencing the same issue with EVERY Windows Server Essentials box (or Server Standard w/the Essentials role) we've installed.  Clearly this is a bug.  Does any know if Microsoft is going to fix this?

    --
    Schyler D. Jones
    MiradorIT/SDJ Computer Solutionsschyler.jones@miradorit.com

    Thursday, November 3, 2016 7:41 PM