none
Cannot Remote Desktop into Windows 2008 Server EVENTID: 4625? RRS feed

  • Question

  • Hi,
    I have trouble logging in remote desktop to a Windows 2008 STD SP1. The server is in the domain. Something strange happens, often I can not login with a domain user but only with the local administrator, and sometimes use the same user domain without any problems in accessing remote desktop. Event viewer when the machine fails to login, I find the following error:


    EVENT ID: 4625

    Log Name:      Security

    Source:        Microsoft-Windows-Security-Auditing

    Date:          8/24/2010 10:52:04 AM

    Event ID:      4625

    Task Category: Logon

    Level:         Information

    Keywords:      Audit Failure

    User:          N/A

    Computer:      wbrdvpx40.webred.personal

    Description:

    An account failed to log on.

     

    Subject:

                Security ID:                 NULL SID

                Account Name:                      -

                    Account Domain:                            -

                    Logon ID:                            0x0

     

    Logon Type:                                      3

     

    Account For Which Logon Failed:

                    Security ID:                        NULL SID

                    Account Name:                               Administrator

                    Account Domain:                            WEBRED2000

     

    Failure Information:

                    Failure Reason:                                Unknown user name or bad password.

                    Status:                                 0xc000006d

                    Sub Status:                        0xc000006a

     

    Process Information:

                    Caller Process ID:            0x0

                    Caller Process Name:    -

     

    Network Information:

                    Workstation Name:       ANTONIO

                    Source Network Address:           -

                    Source Port:                      -

     

    Detailed Authentication Information:

                    Logon Process:                 NtLmSsp

                    Authentication Package:             NTLM

                    Transited Services:         -

                    Package Name (NTLM only):     -

                    Key Length:                       0

     

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

     

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

     

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

     

    The Process Information fields indicate which account and process on the system requested the logon.

     

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

     

    The authentication information fields provide detailed information about this specific logon request.

                    - Transited services indicate which intermediate services have participated in this logon request.

                    - Package name indicates which sub-protocol was used among the NTLM protocols.

                    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

      <System>

        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />

        <EventID>4625</EventID>

        <Version>0</Version>

        <Level>0</Level>

        <Task>12544</Task>

        <Opcode>0</Opcode>

        <Keywords>0x8010000000000000</Keywords>

        <TimeCreated SystemTime="2010-08-24T08:52:04.983Z" />

        <EventRecordID>120934</EventRecordID>

        <Correlation />

        <Execution ProcessID="696" ThreadID="788" />

        <Channel>Security</Channel>

        <Computer>wbrdvpx40.webred.personal</Computer>

        <Security />

      </System>

      <EventData>

        <Data Name="SubjectUserSid">S-1-0-0</Data>

        <Data Name="SubjectUserName">-</Data>

        <Data Name="SubjectDomainName">-</Data>

        <Data Name="SubjectLogonId">0x0</Data>

        <Data Name="TargetUserSid">S-1-0-0</Data>

        <Data Name="TargetUserName">Administrator</Data>

        <Data Name="TargetDomainName">WEBRED2000</Data>

        <Data Name="Status">0xc000006d</Data>

        <Data Name="FailureReason">%%2313</Data>

        <Data Name="SubStatus">0xc000006a</Data>

        <Data Name="LogonType">3</Data>

        <Data Name="LogonProcessName">NtLmSsp </Data>

        <Data Name="AuthenticationPackageName">NTLM</Data>

        <Data Name="WorkstationName">ANTONIOZAZZARO</Data>

        <Data Name="TransmittedServices">-</Data>

        <Data Name="LmPackageName">-</Data>

        <Data Name="KeyLength">0</Data>

        <Data Name="ProcessId">0x0</Data>

        <Data Name="ProcessName">-</Data>

        <Data Name="IpAddress">-</Data>

        <Data Name="IpPort">-</Data>

      </EventData>

    </Event>

     

    How can I fix this problem??

     

    Tuesday, August 24, 2010 9:03 AM

Answers

  • The logons are failing because authentication back to the domain is failing.  Since it only happens with this one server, and since the problem is intermittent, that most likely means that there's a problem or bad configuration on that server itself.  Take a look in the System event log of the server where logons are failing, and see if you see any Netlogon or Kerberos events that might help explain what's happening.

    You can also enable netlogon debug logging on the server by running the following command:

    nltest /dbflag:0x2080ffff

    After you do this, the netlogon.log file should be available in c:\windows\debug\

    Check the event logs first, but if those don't give you useful information, then turn on the debug logging and reproduce the failure.  You should be able to use the timestamps in the log to find the entries from when you attempted to log in, you can repost those here and we can take a look at them.


    David Beach - Microsoft Online Community Support
    Friday, September 3, 2010 4:57 PM

All replies

  • Hi, try to apply the solution from this article.

    http://support.microsoft.com/kb/896861

    This issue occurs if you install Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). Windows XP SP2 and Windows Server 2003 SP1 include a loopback check security feature that is designed to help prevent reflection attacks on your computer. Therefore, authentication fails if the FQDN or the custom host header that you use does not match the local computer name.

    Hope that helps.


    PubForum.net Founder, TS Training in Europe! Love Microsoft &its people to bits!
    Tuesday, August 24, 2010 10:00 PM
    Moderator
  • I modified the registry key but unfortunately nothing. This morning I tried to log into remote desktop I get the following error message:

    Logon failure: user account restriction. Possible reasons are blank password not allowed, logon hour restrictions, or a policy restriction has been enforced.

     

    This morning I tried to log into remote desktop I get the following error message:
    Machine event viewer I see:

    An account failed to log on.

    Subject:
        Security ID:        SYSTEM
        Account Name:        WBRDVPX40$
        Account Domain:        WEBRED2000
        Logon ID:        0x3e7

    Logon Type:            10

    Account For Which Logon Failed:
        Security ID:        NULL SID
        Account Name:        azazxxxx
        Account Domain:        webred.personal

    Failure Information:
        Failure Reason:        Unknown user name or bad password.
        Status:            0xc000006e
        Sub Status:        0xc000006e

    Process Information:
        Caller Process ID:    0xda4
        Caller Process Name:    C:\Windows\System32\winlogon.exe

    Network Information:
        Workstation Name:    WBRDVPX40
        Source Network Address:    172.16.1.75
        Source Port:        49394

    Detailed Authentication Information:
        Logon Process:        User32
        Authentication Package:    Negotiate
        Transited Services:    -
        Package Name (NTLM only):    -
        Key Length:        0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
        - Transited services indicate which intermediate services have participated in this logon request.
        - Package name indicates which sub-protocol was used among the NTLM protocols.

    PS: the problem is only found on this server with Windows 2008 STD Sp1

     

    Wednesday, August 25, 2010 6:05 AM
  • Anyone with my same problem?
    Thursday, August 26, 2010 5:38 AM
  • Up -.-
    Friday, August 27, 2010 6:04 AM
  • Hi,

    According to the event log, it seems that the user name or password is incorrect. Do you mean that you can RDP into other computer in the domain with the same domain user account?

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, August 27, 2010 7:48 AM
    Moderator
  • Of course, if I log with the same credentials in another domain computer I can access remote desktop without problems.
    Friday, August 27, 2010 8:51 AM
  • Hi Webred, 

    By default on local and domain admins can log onto Domain servers, have you added the specific user to the local remote desktop group on the Server?

    I am assuming that you can connect successfully from computer A to your Server 2008 STD SP1 using a domain admin account, this way we eliminate any doubt regarding client SLA and user rights.

    please confirm

    Hugo


    A.I.
    Friday, August 27, 2010 8:41 PM
  • Hello Hugo,
    Remote Desktop does not work when you can not access the Windows 2008 server with no user domain, even with the account administrator, and works with local administrator. Then realized that without touching configurations, all without a valid explanation reoperation.
    Monday, August 30, 2010 6:24 AM
  • Yesterday it worked without problems, but this morning the usual error:
    Logon failure: user account restriction. Possible Reasons are blank passwords not allowed, logon hour restrictions, or a policy restriction has Been enforced.

    From the event viewer of the machine:


    1) Event:
    Audit failure
    A privileged service was Called.

    Subject:
    Security ID: SYSTEM
    Account Name: $ WBRDVPX40
    Account Domain: WEBRED2000
    Logon ID: 0x3E7





    2) Event:
    Audit failure

    An account failed to log on.

    Subject:
        Security ID:        SYSTEM
        Account Name:        WBRDVPX40$
        Account Domain:        WEBRED2000
        Logon ID:        0x3e7

    Logon Type:            10

    Account For Which Logon Failed:
        Security ID:        NULL SID
        Account Name:        azazzaro
        Account Domain:        webred.personal

    Failure Information:
        Failure Reason:        Unknown user name or bad password.
        Status:            0xc000006e
        Sub Status:        0xc000006e

    Process Information:
        Caller Process ID:    0x16e4
        Caller Process Name:    C:\Windows\System32\winlogon.exe

    Network Information:
        Workstation Name:    WBRDVPX40
        Source Network Address:    172.16.0.10
        Source Port:        50972

    Detailed Authentication Information:
        Logon Process:        User32
        Authentication Package:    Negotiate
        Transited Services:    -
        Package Name (NTLM only):    -
        Key Length:        0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
        - Transited services indicate which intermediate services have participated in this logon request.
        - Package name indicates which sub-protocol was used among the NTLM protocols.
        - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.





    3) event:

    Audit Succes

    An account was logged off.

    Subject:
        Security ID:        WEBRED2000\azazzaro
        Account Name:        azazzaro
        Account Domain:        WEBRED2000
        Logon ID:        0x8bd16d

    Logon Type:            3

    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.

    Service:
    Server: Security Account Manager
    Service Name: Security Accounts Manager

    Process:
    Process ID: 0x2b8
    Process Name: C: \ Windows \ System32 \ lsass.exe

    Service Request Information:
    Privileges: SeTcbPrivilege






    Not a problem domain because the same user (azazzaro) I connect to other servers in the domain
    Tuesday, August 31, 2010 7:15 AM
  • The logons are failing because authentication back to the domain is failing.  Since it only happens with this one server, and since the problem is intermittent, that most likely means that there's a problem or bad configuration on that server itself.  Take a look in the System event log of the server where logons are failing, and see if you see any Netlogon or Kerberos events that might help explain what's happening.

    You can also enable netlogon debug logging on the server by running the following command:

    nltest /dbflag:0x2080ffff

    After you do this, the netlogon.log file should be available in c:\windows\debug\

    Check the event logs first, but if those don't give you useful information, then turn on the debug logging and reproduce the failure.  You should be able to use the timestamps in the log to find the entries from when you attempted to log in, you can repost those here and we can take a look at them.


    David Beach - Microsoft Online Community Support
    Friday, September 3, 2010 4:57 PM
  • Hi,
    I have trouble logging in remote desktop to a Windows 2008 STD SP2 intermittently. The server is in the domain. Internally the users have no issues but when logging from externally on to the Terminal server farm ( through ISA) , they intermittently can not login using their domain accounts. In the event viewer are the following messages, following the above forum I have enabled the nelogon debug logging. Did anyone find a resolution for this error? The same accounts can RDP into other servers ok , just not the terminal server farm ( 2 TS servers)

    Jenni

    Security ID: NULL SID

    Account Name: -

    Account Domain: -

    Logon ID: 0x0

    Logon Type: 3

    Account For Which Logon Failed:

    Security ID: NULL SID

    Account Name: test

    Account Domain: test

    Failure Information

    Failure Reason: Unknown user name or bad password.

    Status: 0xc000006d

    Sub Status: 0xc000006a

    Process Information:

    Caller Process ID: 0x0

    Caller Process Name: -

    Network Information:

    Workstation Name: JEN

    Source Network Address: 10.0.1.42

    Source Port: 44148

    Detailed Authentication Information:

    Logon Process: NtLmSsp

    Authentication Package: NTLM

    Transited Services: -

    Package Name (NTLM only): -

    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.

    - Transited services indicate which intermediate services have participated in this logon request.

    - Package name indicates which sub-protocol was used among the NTLM protocols.

    - Key length indicates the length of the generated session key. This will be 0 if no session

    An account failed to log on.

    Subject:

    Security ID: NETWORK SERVICE

    Account Name: STAFFTSDR$

    Account Domain: EIT

    Logon ID: 0x3e4

    Logon Type: 5

    Account For Which Logon Failed:

    Security ID: NULL SID

    Account Name: -

    Account Domain: -

    Failure Information:

    Failure Reason: An Error occured during Logon.

    Status: 0xc0000022

    Sub Status: 0xc0000022

    Process Information:

    Caller Process ID: 0x45c

    Caller Process Name: C:\Windows\System32\svchost.exe

    Network Information:

    Workstation Name: -

    Source Network Address: -

    Source Port: -

    Detailed Authentication Information:

    Logon Process: Advapi

    Authentication Package: Negotiate

    Transited Services: -

    Package Name (NTLM only): -

    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.

    - Transited services indicate which intermediate services have participated in this logon request.

    - Package name indicates which sub-protocol was used among the NTLM protocols.

    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    Sunday, October 17, 2010 7:58 PM
  • I'm having the same pain here:

    Unable to RD a WS2K8 R2 box using domain credentials

    Event ID 4625 NULL SID sighted in system's Events

    Remote Desktop using system's local admin credential works fineLog on locally with domain credentials works fine.

    Went thru the workaround presented above >> same issue

    Thanks

    Wednesday, May 23, 2012 5:45 AM
  • Alex Juschin's article reference helped me solve my problem. Which was that I couldn't open a remote desktop connection from the Internet to my home lab server using my home router's Internet public IP address (the router was configured to relay all connections to port 3389 to said lab server). I could open a connection from within my home networks though. Disabling Loopback Checking as stated on http://support.microsoft.com/kb/896861 solved this.

    Edit: after a little more research I found this article http://support.microsoft.com/kb/926642 more suitable because changing DisableStrictNameChecking is not needed. Also, I've succesfully applied method 1 by adding the hostname address that I use to connect to my home network to MSV1_0's BackConnectionHostNames subkey. No reboot was needed on a Windows Server 2008 R2 with SP1



    Saturday, July 21, 2012 4:32 PM
  • Here are my logs when I ran it. What can I take from this?

    05/06 08:12:40 [MISC] DbFlag is set to 2080ffff
    05/06 08:12:42 [INIT] Group Policy is not defined for Netlogon
    05/06 08:12:42 [INIT] Following are the effective values after parsing
    05/06 08:13:27 [MISC] In control handler (Opcode: 4)
    05/06 08:14:12 [MISC] DsGetDcName function called: Dom:(null) Acct:(null) Flags: DS GC RET_DNS 
    05/06 08:14:12 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
    05/06 08:14:12 [MISC] NetpDcGetName: fmdh.gc. cache is too old. 1941058
    05/06 08:14:12 [MAILSLOT] NetpDcPingListIp: fmdh.gc.: Sent UDP ping to 10.20.20.233
    05/06 08:14:12 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to DC01.fmdh.gc
    05/06 08:14:12 [MISC] NlPingDcNameWithContext: DC01.fmdh.gc responded over IP.
    05/06 08:14:12 [MISC] NetpDcGetName: fmdh.gc. using cached information
    05/06 08:14:12 [MISC] DsGetDcName function returns 0: Dom:(null) Acct:(null) Flags: DS GC RET_DNS 
    05/06 08:14:29 [MISC] In control handler (Opcode: 4)

    • Proposed as answer by Mashhoud Friday, January 20, 2017 11:34 AM
    • Unproposed as answer by Mashhoud Friday, January 20, 2017 11:34 AM
    Friday, May 6, 2016 2:16 PM
  • I have the same problem, after checking the Logs, i have seen that:

    Failure Information:

                    Failure Reason:                     Unknown user name or bad password.

                    Status:                                   0xC000006D

                    Sub Status:                            0xC000006A

     

    Process Information:

                    Caller Process ID:  0x0

                    Caller Process Name:           -

     

    Network Information:

                    Workstation Name:             XXXXXXXX

                    Source Network Address:   -

                    Source Port:                          -

     

    Detailed Authentication Information:

                    Logon Process:                    NtLmSsp

                    Authentication Package:    NTLM

                    Transited Services:               -

                    Package Name (NTLM only):             -

                    Key Length:                          0

    Changing the "Network Security: LAN Manager authentication level" to Send NTLMv2 response only\refuse LM & NTLM on the client has solved the problem


    • Edited by Mashhoud Friday, January 20, 2017 11:42 AM
    Friday, January 20, 2017 11:41 AM