Audit Failure 4625 with no details for troubleshooting RRS feed

  • Question

  • For the past few months I've been experiencing a lot of Event ID 4625 on my Exchange 2013 CU23. They're occurring at a rate of roughly 3-5 per minute every couple of minutes. It's driving me nuts and filling my security log which means my logs fill up and truncate leaving me with less than 24-hours based on current configurations.

    I'm posting here because I have exhausted Google, Microsoft forums, Spiceworks, etc. I feel confident saying I've read just about every other issue but I can't find one that matches my description with a functioning resolution.

    I found this person which has the same issue, but when I tried the recommended fixes it didn't resolve it for me:

    I've created or checked the following:

    • KB3002657 is NOT installed on any of my DCs
    • Rebooted (of course)
    • Created the following registry keys: DisbaleStrictNameChecking & BackConnectionHostNames
    • Modified local GPO for LAN Manager Authentication Level = Send NTLMv2 response only. Refuse LM & NTLM (have not rebooted since making this change 30 minutes ago)
    • Evaluated events before and following the Event 4625 but found no evidence to steer me in any direction
    • Disabled AV 
    • Verified scheduled tasks are running properly (they're using the domain admin account)
    • No Windows services are running as a user account

    I'm here because I'm at a loss and don't know where else to turn.

    Output from Event Details:

    An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Account Domain: Failure Information: Failure Reason: An Error occured during Logon. Status: 0xC000006D Sub Status: 0x80090325 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: Schannel Authentication Package: Microsoft Unified Security Protocol Provider Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    [ Name] Microsoft-Windows-Security-Auditing
    [ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
    [ SystemTime] 2019-09-19T13:27:21.225365000Z
    [ ProcessID] 660
    [ ThreadID] 5208
    AuthenticationPackageNameMicrosoft Unified Security Protocol Provider

    • Edited by tlpitch Thursday, September 19, 2019 1:32 PM Obscuring private data.
    • Moved by Manu Meng Friday, September 20, 2019 7:49 AM relocate
    Thursday, September 19, 2019 1:31 PM

All replies

  • Hi

    Did you enable advanced auditing with group policy at all?

    If not, you might want to open a case with Microsoft.

    Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, September 19, 2019 5:51 PM
  • I believe these are the policies you're talking about. Tried to make formatting look good. These were set by a previous admin (they've been this way for at least 6 years).

    Advanced Audit Configuration
    Account Logon
    Audit Credential Validation 			Success, Failure  
    Audit Kerberos Authentication Service 		Success, Failure  
    Audit Kerberos Service Ticket Operations 	Success, Failure  
    Audit Other Account Logon Events 		Success, Failure  
    Account Management
    Audit Application Group Management 		Success, Failure  
    Audit Computer Account Management 		Success, Failure  
    Audit Security Group Management 		Success, Failure  
    Audit User Account Management 			Success, Failure  
    Detailed Tracking
    Audit Process Creation 			        Success  
    Audit Process Termination 			Success  
    Audit Account Lockout 			        Success, Failure  
    Audit Logoff 			                Success, Failure  
    Audit Logon 			                Success, Failure  
    Audit Other Logon/Logoff Events 		Success, Failure  
    Audit Special Logon 			        Success, Failure  
    Object Access
    Audit Application Generated 			Success, Failure  
    Audit Certification Services 			Success, Failure  
    Policy Change
    Audit Audit Policy Change 			Success  
    Audit Authentication Policy Change 		Success  
    Audit Authorization Policy Change 		Success  
    Audit Other System Events 			Success, Failure  
    Audit Security State Change 			Success, Failure  
    Audit Security System Extension 		Success, Failure  
    Audit System Integrity 			        Success, Failure  

    Thursday, September 19, 2019 6:03 PM
  • Yip, those are the ones, i have them enabled in my environment as well and it generates plenty of alerts.

    If the GPO was created separately, then disable it for now and see if your events stop.

    Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, September 19, 2019 6:09 PM
  • Ok. I can disable them to see if the alerts stop, but that would do nothing more than suppress those events from showing up. I've looked in my network monitoring application and the best I can tell this issue started about 2.5 months ago. Looking at change logs there are none that would have impacted this- the only thing on the docket was an IDF switch swap.

    I'll look at this tomorrow and report back.

    Thursday, September 19, 2019 7:50 PM
  • migorisadiy,

    Sadly neither of those articles are helpful. Both of those have a source- the first shows a user and the second shows the host responsible for the event. My even has neither and I don't know how to track it down. It appears as though the localhost is generating these events, but I can't prove or disprove that.


    To no surprise when I disable "Audit Logon" those alerts stop. Obviously I don't want to leave Audit Logon disabled.

    Friday, September 20, 2019 1:53 PM
  • Would you mind letting me know the update of the problem? If you need further assistance, feel free to let me know.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Thursday, October 3, 2019 9:44 AM