none
NULL SID Security Log Event ID 4625 when attempting logon to 2008 R2 Remote Desktop Session Host

    Question

  • This is a new deployment of Server 2008 R2 in a newly created 08 R2 active directory on a newlyt installed 08 R2 RDSH server.

    A new generic user is created in AD. That user can log on to the terminal server on the console just fine. But that user cannot logon via RDP. Furthermore, the domain admin credentials also cannot logon via RDP.

    When either set of credentials is used, the logon attempt registered in the Windows Security Even Log as a denied attempt with Event ID 4625 reporting a NULL SID.

    Troubleshooting: The RDSH has already been disjoined and rejoined to the domain. Also, curious note, there are three ways to save the user account on the RDSH server as a valid user account which has permissions to logon. The one Microsoft recommends is to open computer management and edit the remote desktop users group. When I the accounts here and click apply, they immediately dissapear. Secondly, I can open the computer properties and go to the remote tab. There I find the user accounts added using the previous method are enumerated but not displaying correctly. They show up with the RDSH server name and a question mark. The last way, is to open the Remote Desktop Session Configuration tool and edit the properties of the rdp connection and go to the security tab. This was the only place I could get a user to ‘stick’ but the logon attempts still show a NULL SID and access is denied.

    I have scoured every bit of RDS documenation I can find with no luck.

    Thanks,
    Chris
    Monday, January 18, 2010 8:12 PM

All replies

  • Chris,

    I am interested in this behavior and would like to see it. Email me at kristin.l.griffin AT gmail DOT com is this is possible.

    Thanks,

    Kristin L. Griffin

    Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!) 

    I finally started my blog: blog.kristinlgriffin.com
    Tuesday, January 19, 2010 5:08 AM
    Moderator
  • Hi Kristin.
    I be confronted with difficulties with some error  as Chris wrote (Event ID 4625 ) when I try to administer MOSS over RDP connection.
     It sound like bug, in my situation, it occur in connection to localhost http resources (MOSS installed on this server) inside RDP session (OS Win 2008 R2, client 7.0 version, with enabled network authentification)
    When anybody connect to MOSS on this machine from any network PC, then everything be OK.

    An account failed to log on.

    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0
    Logon Type: 3
    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: user
    Account Domain: LOCAL
    Failure Information:
    Failure Reason: An Error occured during Logon.
    Status: 0xc000006d
    Sub Status: 0x0
    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -
    Network Information:
    Workstation Name: FS
    Source Network Address: 192.168.1.20
    Source Port: 58990
    Detailed Authentication Information:
    Logon Process:
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.
    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
    The Process Information fields indicate which account and process on the system requested the logon.
    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.








    • Proposed as answer by N Lebrun Tuesday, December 13, 2011 2:13 PM
    • Unproposed as answer by N Lebrun Tuesday, December 13, 2011 2:13 PM
    Saturday, February 13, 2010 3:40 AM
  • Chris,

     Still having the issue? If not then what did you do to remedy?
    Hope this helps,

    Kristin L. Griffin

    Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!) 

    I finally started my blog: blog.kristinlgriffin.com
    Wednesday, February 17, 2010 3:20 AM
    Moderator
  • I now am having the same issue, with the following basic setup.

    1 single domain controller with 7 systems attached to the domain.com.

    All of these machines attached to the domain, work perfectly.  Rdp login works remotely, console, etc.

    Recently, built another server to add to the domain.  The server is the same setup as the others, win2k8 R2 no software installed yet.

    However when trying to remotely login to this server, it give me this "4625" error.  BUT, I can logon to the machine REMOTELY using the new servers LOCAL privileges, just not the domain user/pass.  Weird.

    Yes, let us know pretty please if you were able to find a solution.  :)

    Wednesday, May 05, 2010 1:45 PM
  • Have you tried to re-add the server to the domain?
    Hope this helps,

    Kristin L. Griffin

    Co-Author of the Windows Server 2008 Terminal Services Resource Kit (and a SUPER BIG fan of the Microsoft RDV Team!!!) 

    My RDS blog: blog.kristinlgriffin.com
    Wednesday, May 05, 2010 4:07 PM
    Moderator
  • I am also experiencing this issue. 

    2008 servers, 2007 exchange on server 2008. 

    These are fresh servers, fresh AD. Users can log onto domain normally, RDP not working for admin accounts, generating same errors as posted above.

     

    The bigger issue, is that we have a cisco messaging service account that is generating this error on the DC's and the Exchange server as well. The service basically emails users voicemails to their inbox. The user we've created for the cisco service is unable to authenticate to the exchange server, in turn generating the same errors posted above as well. We can log on to the domain with this account just fine. 

     

    Any ideas on this? We have not tried re-adding the servers to the domain. 

     

     

    Log Name:      Security

    Source:        Microsoft-Windows-Security-Auditing

    Date:          5/5/2010 9:01:13 AM

    Event ID:      4625

    Task Category: Logon

    Level:         Information

    Keywords:      Audit Failure

    User:          N/A

    Computer:      xx.corp

    Description:

    An account failed to log on.

    Subject:

    Security ID:                         NULL SID

     

                    Account Name:                 -

     

                    Account Domain:                             -

     

                    Logon ID:                             0x0

    Logon Type:                                       3

     

    Account For Which Logon Failed:

     

                    Security ID:                         NULL SID

     

                    Account Name:                 xxxx

     

                    Account Domain:                             xxxx

     

     

     

    Failure Information:

     

                    Failure Reason:                 Domain sid inconsistent.

     

                    Status:                                  0xc000006d

     

                    Sub Status:                         0xc000019b

     

     

     

    Process Information:

     

                    Caller Process ID:             0x0

     

                    Caller Process Name:     -

     

     

     

    Network Information:

     

                    Workstation Name:        laptop

     

                    Source Network Address:            -

     

                    Source Port:                       -

     

     

     

    Detailed Authentication Information:

     

                    Logon Process:                  NtLmSsp 

     

                    Authentication Package:               NTLM

     

                    Transited Services:          -

     

                    Package Name (NTLM only):       -

     

                    Key Length:                        0

     

    Wednesday, May 05, 2010 5:06 PM
  • Hi,

     

    I know this might be an old post but I had the same problem. What I have found out is that sysprep did not regenerate SID on the servers I have built from the template. This is why all servers in a fresh domain had the same sid causing the issue discussed above. I have used wininternal's new SID and after adding the same server with a new SID to the domain the problem was gone. 

     

    Hope this helps in case you have the same problem (you can check your machines sid with http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx)

     

    Regards,

    Pawel

    Friday, June 18, 2010 9:58 PM
  • Hi all, today I have a similar problem:

    - Windows server 2008 configured in an AD domain

    - created new user named "rduser" as a LOCAL user

    - added rduser to LOCAL group "Remote dekstop users"

     

    If I try to connect through RPD, I got error "must be granted terminal services right" and event log entry 4625

     

    Now I solved modifiyng local policy:

    - run gpedit.msc

    - go to computer configuration - windows settings - security settings - local policies - user right assignment

    - edit item "Allow log on through Terminal Services" and add rduser

     

    Now Enjoy remotely with RDP!

    Wednesday, August 24, 2011 8:01 AM
  • I added the bult-in AD Group "Remote desktop users" to the policy and it works just adding users to that group.

    But I didn't understood why it is not implemented by default, as expected.

    PC


    • Edited by Paolo470 Monday, January 09, 2012 2:38 PM
    Monday, January 09, 2012 2:38 PM
  • Hello Phlipper85,

    this is no "real" solution, because this will in fact create users outside of the AD domain. So you are using real local accounts on the RDServer, which doesn't make much sense in a AD Domain...

    Regards
    • Edited by DerPrediger Wednesday, January 18, 2012 2:30 PM typo
    • Proposed as answer by Elkes1 Thursday, October 27, 2016 4:27 PM
    Wednesday, January 18, 2012 2:30 PM
  • Exactly the same problem here.

    Infrastructure contains 6 2008R2 Servers - one domain controller, others - domain members. Domain administrator can log in RDP of DC only, for domain members local administrator credentials have to be used. Security auditing events exactly as pasted by The_Parabol.

    This is really annoying because there are couple of servers with CA role, they cannot be renamed or rejoined to the domain in any way. Workaround like using local user credentials is not the solution in this case.

    Friday, March 02, 2012 3:05 PM
  • Had this exact issue after installing some third party software, as it turned out the a local security policy was changed. We resolved this issue by (re) setting the Local Security Policy property "Network Access: Sharing and security model for local accounts" found under "Security Options" back to its default setting of "Classic - local users authenticate as themselves" It had been changed to "Guest only- local users authenticate as Guest" which with this setting caused the EID 4625, NULL user etc. when logging in via RDP.


    Saturday, March 10, 2012 3:59 PM
  • Hi all,

    I'm having the same problem.

    Michael: both client and server has the default setting "Classic - local..." - this does not solve the issue.

    I can only reproduce the issue from some Windows clients. Other clients seem to allow logon to the server with a domain user just fine, this indicates to me that it might be an issue on the some clients rather than on the server.

    Looking foreward to a solution/suggestion...

    Best regards

    Wednesday, May 23, 2012 6:29 PM
  • Hmm, seems that I have found a solution that worked for me.

    My two DCs was out of sync with date and time - not only out of sync between each other but also compared to the client PC I tried to logon from.

    With the time and date set correct on all servers and clients, I can now logon with rdp from PCs/clients that are non-domain and domain, with local admin (".\administator") and domain administrators.

    Hope this solves your issues.

    BR Andreas


    • Edited by AndreasRud Wednesday, May 23, 2012 6:54 PM TYPO
    • Proposed as answer by Arkhana Thursday, June 07, 2012 12:16 PM
    Wednesday, May 23, 2012 6:54 PM
  • Hello,

    Just change administrator password, for me it solve the problem.

    Regards

    Thursday, June 07, 2012 12:17 PM
  • Andi, you saved my day!

    Thank you!

    Greetings,

    Michael


    Friday, August 24, 2012 1:26 PM
  • Hi Michael, I have the same issue but have not been able to resolve it. What steps did you follow to resolve your problem.

    Thank you

    Thursday, August 30, 2012 4:56 PM
  • I have the same problem.  Can someone give a real answer. My server is generating 100s of this errors and I am getting email alerts everyday.  I want to get rid of it for good.

    Thanks.

    Tuesday, September 04, 2012 1:05 PM
  • Hello,

    Sysprep will only reset the SID if you run the Generalize option. If you do not select this option, it will retain the existing SID.

    Cheers

    Thursday, December 13, 2012 5:45 PM
  • Hi! I had the authentication problem in remote desktop session. When I look the event viewer it gives the 4625 domain SID incostistent error. My DC was a clone with sysprep. I changed my DC and reinstall it from the ISO and my problem was solved =) 

    Friday, December 21, 2012 2:29 PM
  • Hi! I'm facing exactly the same issue after installing a sharepoint farm. The application pools configured with the service account crash and returns 503 error. In the event viewer, I got the 4625 error...

    I'm able to remote connect with the service account on my machine. I also add it in the administrators group but it does not change anything.

    Thanks for your help,

    Cheers,

    Guillaume

    Friday, January 25, 2013 4:22 PM
  • I have the following situation.  I have a 2008 R2 server for Hyper-V, it has 6 VM's on it.  it was recently upgraded to server 2012 and all the vm's had the new integration services images loaded.

    following the upgrade, i have one vm that i can't do a remote desktop access from one laptop on the network.
    this laptop used to be able to acess that vm when it was Hyper-V 2008.  it can access all the other VM's.
    all the other systems in the network can access this one vm.

    the error i see in the event log on the laptop is 4625 NULL SID.  I also see an LSASS.EXE error on the laptop as well.  i don't see any error on the VM showing a failed connection or login attempt.
    my questions are two-fold.  first, why is this happening to just one vm when attempting to connect from one laptop?  and if it is some sort of failure related to LSASS, then shoudln't it be causing all remote desktop attempt to any server to fail?

    any thoughts on how i can remedy this?

    Thanks
    BeekerC

    Thursday, June 27, 2013 8:34 AM
  • Try adding the administrator account to the Local Policies --> Users Rights Assignment --> Allow log on through Remote Desktop Services; That did it for me - hope it helps
    Monday, November 18, 2013 10:01 PM
  • if you a having issues getting into a sharepoint site (not central admin) while RDP's into the server its because the loopbackcheck is enabled. If you get to the site via a browser session from another server or desktop and it works that is your cause (IF NTLM IS ENABLED). You can disable loopback checking via powershell:

    New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name
    "DisableLoopbackCheck" -value "1" -PropertyType dword

    Reboot is recommend but not necessary.

    E

    Thursday, February 20, 2014 7:34 PM
  • I also encountered this problem, I found the culprit that caused this

    In Local Security Policy, my LAN manager Authentication Level is set to Send NTLMv2 response only\refuse LM & NTLM

    After configuring to Send NTLMv2 response only , problem was solved

    Tuesday, July 15, 2014 12:41 PM
  • HI All,

    I am also facing the same issue today when i installed a fresh DC [2008 R2]. Its not allowing me to login to the domain with the domain credentials. Now for one server i did the sysprep and it just restore all the configuration like factory reset. and after that it deletes the current user through which you logged in. So i had to create the same user again by logging into the server with another user [luckily i have created 4 users before doing the sysprep]...

    any suggestion ....

    Wednesday, July 23, 2014 8:31 AM
  • if you a having issues getting into a sharepoint site (not central admin) while RDP's into the server its because the loopbackcheck is enabled. If you get to the site via a browser session from another server or desktop and it works that is your cause (IF NTLM IS ENABLED). You can disable loopback checking via powershell:

    New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name
    "DisableLoopbackCheck" -value "1" -PropertyType dword

    Reboot is recommend but not necessary.

    E

    This worked for me.
    Tuesday, July 29, 2014 3:38 PM
  • We had the same issue.

    Cloned an IIS server Windows 2012.
    When i logged in i got the no sid error.
    Went to a collega and asked him to log on to the server.
    He didn't get any error. At that moment i knew the problem was in my profile.

    Removed my local profile and the issue was gone

    Thursday, July 31, 2014 7:33 AM
  • I had the same issue with a terminal server having the same events.

    some trojan changed the dns entries in the LAN adapter to 8.8.8.8.

    I changed it to the right value of the DC and the error was corrected..

    Saturday, September 06, 2014 6:27 PM
  • "if you a having issues getting into a sharepoint site (not central admin) while RDP's into the server its because the loopbackcheck is enabled. If you get to the site via a browser session from another server or desktop and it works that is your cause (IF NTLM IS ENABLED). You can disable loopback checking via powershell:

    New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 
    "DisableLoopbackCheck" -value "1" -PropertyType dword

    Reboot is recommend but not necessary.

    E"

    This solved my issue where I was getting access denied while trying to setup DFS in W2012 locally! Thanks!

    Tuesday, June 02, 2015 9:49 PM
  • I have a similar issue. On random servers (2008+) we will not be able to RDP into them an local authentication starts failing. The security event log lists the NULL SID event for all of these.  I am suspecting the issue is related to some older 2003 DCs that are still in the domain but I cannot pinpoint that for sure.  Anyone else come across this?
    Tuesday, June 16, 2015 2:13 PM
  • I was able to logon to a server with several accounts through VM console but when trying to RDP the screen would just flash and go back to asking for credentials without error. This fixed my problem. Thank you.
    Wednesday, November 18, 2015 11:22 PM
  • Tried tons of fixes found by scouring the internet:

    Group Policy:

    Computer Configuration\Windows\Settings\Security Settings\Local Policies\Security Options - Network security: LAN Manager authentication level = set item to Send NTLMv2 response only/refuse LM & NTLM

    Local Policy:

    Similar to group policy settings

    Registry:

    LMCompatibilityLevel set to 3 or more (4 for the above setting)

    EnforceChannelBinding set to 0

    None of the above worked for us. It finally turned out to be bad time zone settings on the router. Guess packets with bad time stamps from the router caused authentication to fail not to the RDP Gateway but to the internal resources being connected to. Just an FYI for those pulling their hair out on this one.

    Thursday, March 10, 2016 4:22 PM
  • We have run into this same issue at multiple client sites when Windows Server Essentials is installed or used. We found a scheduled task named Alert Evaluations under Windows Server Essentials that was running every 30 minutes and generating the errors in the event logs. I suspect it somehow cached credentials from when the role was added to the server, so perhaps clearing out any cached credentials may also fix this issue. Disabling the Alert Evaluations task in Task Scheduler resolved the problem for us in several cases.
    Friday, July 08, 2016 4:14 PM
  • This was my issue as well. Thank you very very much!

    JJC

    Thursday, July 27, 2017 12:34 PM
  • Thats because your trying to log on with credentials for your domain and that other server has not been set up in that domain.

    You need to add the new server to the forest and set up DNS and DHCP (if you have on the original server) so that they can communicate.

    Then you will be able to log on with your domain credentials as it will be included as part of the domain.

    Hope it helps and yes I know its an old bloody post lol. Just in case anyone can use for future help! :-)

    Saturday, March 03, 2018 12:30 AM