Multiple security audit failures a second

Similar Messages

• Windows 7 Security Audit Failure message 6281 & Security Kernel

  OS:  Windows 7 Home Premium Ver 6.1 Build 7601 SP 1
  Toshiba Satellite C655
  I received a Windows 7 Security pop-up saying there was a Kernel mismatch and asked if I wanted to proceed.  Not thinking - i hit yes.  Looking through the Security Audit Log - I found an audit failure with 6281 System Integrity Error.  I
  am assuming they are related.
  Any idea what have I done and what do I need to check/do to recover?
  Thanks

  Hi,
  Please upload us the full error messages here, we need more information to narrow down the cause. Then check into
  Event Viewer, see if any other errors logged.
  Besides, check to see if there are any devices have new drivers need to update.
  Mostly this error is caused by the "Realtek Audio HD driver", please check to see if we have any related devices.
  Reference:
  Windows 7 freeze after shutdown
  Best regards
  Michael Shao
  TechNet Community Support

• Unable to receive an email by task scheduler on audit failure in windows server 2008 r2 security log

  Deal All,
  I am sorry in advance if i would be on wrong forum, i have created a task on Server 2008 r2 Domain controller that when an audit failure event triggered in windows security log then an email should reach on my email ID, but unfortunately, nothing happen
  on audit failure.i receive no email from task scheduler.
  kindly suggest me to resolve the issue. I have created Email task on  event ID 4771.
  Thanks.
  Zeeshan Ibrahim Network Administrator

  Hi Zeeshan,
  I have found a hotfix against the same error messages, though it applies to Windows Vista and Windows Server 2008, I am not sure if it will work on your machine.
  Please refer to this KB article below:
  Duplicate triggers are generated incorrectly in scheduled tasks in Windows Vista or in Windows Server 2008
  http://support.microsoft.com/kb/2617046
  Please feel free to let us know if this hotfix couldn’t help you fix this issue.
  Best Regards,
  Amy Wang

• 4265 Audit Failure: NTLM Authentication Issue from constant Outlook Login Prompts

  Hello Technet!
  Last week I started running into a domain-wide issue where users could authenticate while connected to the domain, but would receive prompts to log in to our external host. The first prompt is for mail.domain.local, which works fine inside the office, and
  the second is owa.domain.com, which continually fails. 
  On the second prompt, the Exchange 2007 server (on Server 2008 R2) reports the following error:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 3/19/2015 9:10:19 AM
  Event ID: 4625
  Task Category: Logon
  Level: Information
  Keywords: Audit Failure
  User: N/A
  Computer: mail.domain.local
  Description:
  An account failed to log on.
  Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: user
  Account Domain: domain
  Failure Information:
  Failure Reason: An Error occured during Logon.
  Status: 0xc000006d
  Sub Status: 0x0
  Process Information:
  Caller Process ID: 0x0
  Caller Process Name: -
  Network Information:
  Workstation Name: DOMAIN-PC
  Source Network Address: 12.345.67.89
  Source Port: 56984
  Detailed Authentication Information:
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  I've gone through quite a few attempted fixes already, all to no effect:
  1. I've both added BackChannelHostName to the server's registry, as well as described here: https://support.microsoft.com/en-us/kb/896861
  2. Verified SSL Cert status
  3. Internal and External OWA URI is set to owa.domain.com in EWC
  4. Set up the IIS7 authentication and SSL settings to their defaults, as described here: http://msexchangeguru.com/2010/10/05/autodiscover/
  5. I added a SRV record for autodiscover on our DC to correct an EXPR auth issue: https://acbrownit.wordpress.com/2012/12/20/internal-dns-and-exchange-autodiscover/
  Despite all these things, I haven't yet seemed to scratch whatever itch Exchange is having. All of the client Outlooks will get the prompt for owa.domain.com, even though their mail is working because they're in the office or on VPN. For whatever reason,
  the Mac Outlook 2011 users cannot authenticate to the mail server at all, so they are the ones hit the hardest by this issue.
  Any insight everyone here at TechNet can offer would be appreciated. Every fix and workaround I've looked at has either changed nothing, or pointed to something that was already configured properly. If there are details missing that I could offer to provide
  a better idea of the problem, please let me know. Thank you.
  -- Brian Q.

  Hi,
  Yes, it may be caused by the security updates on March 10, 2015. Please refer to the known issue in the following KB:
  http://support.microsoft.com/en-us/kb/3002657
  Please remove the security patch on the DC and restart server to have a try. Additionally, here is a similar thread for your reference:
  https://social.technet.microsoft.com/Forums/exchange/en-US/1b2a24d9-3d77-49f6-9d0f-63c71da64827/password-prompt-after-exchange-server-windows-updates?forum=exchangesvrclientslegacy
  Regards, 
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Winnie Liang
  TechNet Community Support

• What's the difference between "login block-for X attempts X within X" and "security authentication failure rate X"?

  What's the difference between, just for example, "login block-for 100 attempts 15 within 100" and "security authentication failure rate 3"?
  Please ignore the numbers, I need to know what the differences are in commands and what they do, what they affect.

  security authentication failure rate number_of_failed_attempts : A global configuration mode command used to specify the maximum number of failed attempts (in the range of 2 to 1024) before introducing a 15-second delay
  login block-for 100 attempts 15 within 100 : Block all access after 15 failed login attempts within 100 Secs for the period of 100Secounds (1.40 Minutes).
  The Cisco IOS Login Enhancements (Login Block) feature allows users to enhance the security of a router by configuring options to automatically block further login attempts when a possible denial-of-service (DoS) attack is detected.
  The login block and login delay options introduced by this feature can be configured for Telnet or SSH virtual connections. By enabling this feature, you can slow down "dictionary attacks" by enforcing a "quiet period" if multiple failed connection attempts are detected, thereby protecting the routing device from a type of denial-of-service attack.

• An account failed to log on unknown username or password. Causing Login audit failures

  I have a SBS11 Essentials server that is getting audit Failures over and over again. There computer account says it's the SBS11 server it's self.  It says unknown user name or bad password. I have checked for scheduled tasks, backup jobs, services and
  non of them are using any special user accounts.  I have used MS network monitor and can't find anything helpful to lead to the issue.  All computers in the network are running Windows 7.  The domain functional level is 2008 R2.
  I get a the 4768 event ID about a Kerberos event and then just after I get a Event ID 4625 account failure with Logon Type 3.  I have includes the events below.  I need to figure what is causing the audit failures as my GFI Test Hacker alert is
  catching it every morning.  Disabling the Test Hacker alert is not a option.  I have used Process Explorer also but can't seem to pin it down.  I also enabled Kerberos logging.
  http://support.microsoft.com/kb/262177?wa=wsignin1.0.  All event codes state its a unknown or no existing account but how do I stop it from happening?
  This is from the System Event log
  A Kerberos Error Message was received:
  on logon session TH.LOCAL\thsbs11e$
  Client Time:
  Server Time: 14:59:53.0000 3/4/2014 Z
  Error Code: 0x6 KDC_ERR_C_PRINCIPAL_UNKNOWN
  Extended Error:
  Client Realm:
  Client Name:
  Server Realm: TH.LOCAL
  Server Name: krbtgt/TH.LOCAL
  Target Name: krbtgt/[email protected]
  Error Text:
  File: e
  Line: 9fe
  Error Data is in record data.
  This is from the Security Event log
  A Kerberos authentication ticket (TGT) was requested.
  Account Information:
  Account Name: S-1-5-21-687067891-4024245798-968362083-1000
  Supplied Realm Name: TH.LOCAL
  User ID: NULL SID
  Service Information:
  Service Name: krbtgt/TH.LOCAL
  Service ID: NULL SID
  Network Information:
  Client Address: ::1
  Client Port: 0
  Additional Information:
  Ticket Options: 0x40810010
  Result Code: 0x6
  Ticket Encryption Type: 0xffffffff
  Pre-Authentication Type: -
  Certificate Information:
  Certificate Issuer Name:
  Certificate Serial Number:
  Certificate Thumbprint:
  Certificate information is only provided if a certificate was used for pre-authentication.
  Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.
  I then get teh following error in the next event
  An account failed to log on.
  Subject:
  Security ID: SYSTEM
  Account Name: THSBS11E$
  Account Domain: TH
  Logon ID: 0x3e7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name:
  Account Domain:
  Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xc000006d
  Sub Status: 0xc0000064
  Process Information:
  Caller Process ID: 0x25c
  Caller Process Name: C:\Windows\System32\lsass.exe
  Network Information:
  Workstation Name: THSBS11E
  Source Network Address: -
  Source Port: -
  Detailed Authentication Information:
  Logon Process: Schannel
  Authentication Package: Kerberos
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

  Well I opened the case for him and he never followed up with Microsoft :-(
  It's a kerberos issue, we're told to ignore it.  Would you be willing to be patient and stubborn and work with CSS to at least understand what's going on better?  I can tell you it's normal with Essentials but not the exact technical reason it's
  happening.
  Unfortunately TechNet isn't coming back, sorry folks :-(

• Audit failure every 2 minutes on a W2K8 standalone Server in a Workgroup EventID 4625

  Hello
  By chance I discovered that every 2 minutes there is a login failure on my standalone (Workgroup) W2K8 R2 Server.
  The administrator is disabled (login errors also appear when administrator user is enabled).
  Could not find any tasks that are running with administrator credentials. It seems to me that it must be from the same machine, as the source IP Address is 127.0.0.1.
  Does anyone have an idea?
  Here the log:
  An account failed to log on.
  Subject:
      Security ID:        SYSTEM
      Account Name:        NS2308064$
      Account Domain:        WORKGROUP
      Logon ID:        0x3e7
  Logon Type:            2
  Account For Which Logon Failed:
      Security ID:        NULL SID
      Account Name:        Administrator
      Account Domain:        NS2308064
  Failure Information:
      Failure Reason:        Unknown user name or bad password.
      Status:            0xc000006d
      Sub Status:        0xc000006a
  Process Information:
      Caller Process ID:    0x20c
      Caller Process Name:    C:\Windows\System32\winlogon.exe
  Network Information:
      Workstation Name:    NS2308064
      Source Network Address:    127.0.0.1
      Source Port:        0
  Detailed Authentication Information:
      Logon Process:        User32
      Authentication Package:    Negotiate
      Transited Services:    -
      Package Name (NTLM only):    -
      Key Length:        0
  Thanks & Regards
  Chris

  Hi,
  This a forum for windows 7.
  Please focus on one post to get better solutions.
  http://social.technet.microsoft.com/Forums/en-US/5019d759-b497-44e4-a82a-4fefd4e367c6/audit-failure-every-2-minutes-on-a-w2k8-standalone-server-in-a-workgroup-eventid-4625?forum=winserversecurity
  Thanks for your understanding!
  Regards,
  Ada Liu
  TechNet Community Support

• Kerberos audit failures, ~38-42 events PER MINUTE

  We have a server running "Windows Server Standard FE" 64bit SP2 (I know, embarrassing). The issue is that our Security log is getting FLOODED with audit failures from Kerberos Service Ticket Operations. We will see 38 all with the EXACT same time-stamp,
  then sometimes the next minute will have another 40, sometimes it's a 5 minute gap, sometimes it's a more random gap but regardless it never waits too long before another huge burst of failures. We actually have the issues on other machines running newer system
  (2k3, 2k8) but this one is hands down the most troublesome.
  Honestly I might be out of my depth here as I'm really not too keen on Kerberos ticket requests, but any information around this would be greatly appreciated to help me investigate the issue further. These errors haven't actually led to any problems or other
  errors, just bug the heck out of me when checking audits.
  A Kerberos service ticket was requested.
  Account Information:
  Account Name: <hostname>$@<domain>.LOCAL
  Account Domain: <domain>.LOCAL
  Logon GUID: {00000000-0000-0000-0000-000000000000}
  Service Information:
  Service Name: krbtgt/<domain>.LOCAL
  Service ID: NULL SID
  Network Information:
  Client Address: ::1
  Client Port: 0
  Additional Information:
  Ticket Options: 0x60810010
  Ticket Encryption Type: 0xffffffff
  Failure Code: 0xe
  Transited Services: -
  This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
  This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
  Ticket options, encryption types, and failure codes are defined in RFC 4120.

  :(   

• Security audit log for the last 30 days?

  Hi,
  My current settings for the security audit log is 20 MB (by default).  I dont want to control it with file size limitation, but by the no. of days the audit is recorded (max 30 days).
  What are the parameters that I would need to maintain?
  Or any additinal config is required?
  Thanks,
  Abdul

  Hi,
  My current configuration is like this:
  Name                Description                                           Current value                                            System default value
  FN_AUDIT     Name of security audit file          audit_++++++++
  DIR_AUDIT     Directory for security audit files     /usr/sap/GSP/DVEBMGS00/log     /usr/sap/GSP/D00/log
  rsau/enable     Enable Security Audit          0
  rsau/max_diskspace/local     Maximum space for security audit file     300M     20M
  rsau/max_diskspace/per_day     Maximum size of all security audit files per day          0
  rsau/max_diskspace/per_file     Maximum size of one single security audit file          0
  rsau/selection_slots     Number of selection slots for security audit          2
  rsau/user_selection     Defines the user selection method used inside kernel functions          0
  I have just activated the audit, and in just 30 minutes, I can see that the file is about 45MB.  If this is the growth rate, the 300MB allocated for audit will completely used in just a day.
  My requirement is - I want to track users and their activities for the last 30 days (or 45 days).  No log should be overwritten unless it is atleast 30 days old.
  In SM20, when I give selection from 1.1.10 to 31.1.10, it should show me all the activities during this period, without any breaks.
  Other doubts: Do I have to start auditing manually every day?  Or will it keep writing logs until it reaches 300 MB which can spread upto multiple days.
  Regards
  Abdul
  Edited by: Abdul Rahim Shaik on Feb 4, 2010 11:17 AM

• How to verify "security authentication failure rate" command

  i type "security authentication failure rate 2 log" in global configuration mode,then  login authentication failed many times but no the 15-second delay.
  why?Thanks.

  Steven,
  This command did NOT come in play till 12.3.1
  Command History
  Release
  Modification
  12.3(1)
  This command was introduced.
  12.2(27)SBC
  This command was integrated into Cisco IOS Release 12.2(27)SBC.
  12.3(7)T
  The range of the threshold-rate value was changed from 1 through 1024 to 2 through 1024.
  Usage Guidelines
  The security authentication failure rate command provides enhanced security access to the router by generating syslog messages after the number of unsuccessful login attempts exceeds the configured threshold rate. This command ensures that there are not any continuous failures to access the router.
  Regards,
  Alex.
  Please rate useful posts.

• 1000's of audit failures

  I am having an issue with server's randomly getting 1000's of audit failure errors, usually a reboot fixes the problem for a while but i need to get to the root cause of the issue. This is a virtual environment. I have 3 esx host running esx 4.1.  The
  first error i get is usually this 
  Message: 'This computer was not able to set up a secure session with a domain controller in domain NJ1due to the following: The RPC server is unavailable. This may lead to authentication problems. Make sure that this computer is connected to the network.
  If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise,
  this computer sets up the secure session to any domain controller in the specified domain.'
  Data: 'C0020017'
  The computer is still on the network as i can RDP to it. The 1000's of event ID errors are all the same See Below
  n account failed to log on.
  Subject:
  Security ID:
  NULL SID
  Account Name:
  Account Domain:
  Logon ID:
  0x0
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID:
  NULL SID
  Account Name:
  svc_or
  Account Domain:
  nj1
  Failure Information:
  Failure Reason:
  An Error occured during Logon.
  Status:
  0xc000005e
  Sub Status:
  0x0
  Process Information:
  Caller Process ID:
  0x0
  Caller Process Name:
  Network Information:
  Workstation Name:
  NJ100-MGMT01
  Source Network Address:
  10.8.32.45
  Source Port:
  56481
  Detailed Authentication Information:
  Logon Process:
  NtLmSsp 
  Authentication Package:
  NTLM
  Transited Services:
  Package Name (NTLM only):
  Key Length:
  0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  Any help would be appreciated. 

  @Pace0214
  I need a little more info on your environment to get a feel for what may be going on.  How many domain controllers are you using?  How many sites do you have?  How are they configured, i.e., hub and spoke, spanned, etc.? Do you have DC's
  in the sites?  Are you using AD integrated DNS or some other method?  These are the big ones that come to mind. 
  Mr. X has got you looking in the right places, these types of errors are usually DNS or IP configuration related.  AD uses subnets to find everything that DNS doesn't.  It is what clients use to locate a DC to authenticate against and unless
  properly configured, you will get these types of errors. 
  Gary
  Gary G. Gray
   MCP, MCTS, MCITP, MCT Alumni
  Please remember to mark the replies as answers if they are helpful.
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• My dv5 laptop has an internal "typing" noise/multiple security issues

  I'm not sure if this is a problem, but since I've had all kinds of issues with this particular model (the first Pavilion we were sent by HP had to be returned because the engineers finally deemed it unfixable), I thought I'd ask.  I'm a little nervous about a sound that makes me think of little gremlins inside the unit typing away.  It's not constant, but I'm wondering if that's normal and what the noise is. 
  Another problem is that periodically I'll get a message about the computer having "multiple security issues".  I then do a virus scan, which turns out fine, so I don't know what it means. 

  The Intel chipset issue is not at all related for your Notebook. Its quite unfortunate you are facing this problem as I would say its a coincidence that even your second hard drive went bad so soon.
  Time for you to RMA the new hard drive. 
  //Click on Kudos and Accept as Solution if my reply was helpful and answered your question//
  I am an HP employee!!

• Audit failures on Exchange 2010 and password prompts in outlook

  Starting last Thursday after I patched my domain controllers and other Windows systems and rebooted my Outlook users are being prompted for username/password continuously and my Exchange security logs reflect audit failures for NTLM which I think is triggering
  the prompt. The same users also have an audit success via Kerberos.
  If the password prompt it cancelled Outlook can send and receive email just fine but the box continues to pop up occasionally.
  I've worked on this for several days now and can't figure it out. The audit logs on the DC's are clean with no audit failures.
  The issue is also affecting Visual Studio users who log into a Team Foundation Server, they are continually prompted for credentials and can't get in and the audit logs show the same thing.
  I don't think this is an Exchange specific issue but more of a broader authentication problem.
  Can anyone shed any light on this?
  An account failed to log on.
  Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: mart.marc
  Account Domain:  AOF
  Failure Information:
  Failure Reason: An Error occured during Logon.
  Status: 0xc000006d
  Sub Status: 0x0
  Process Information:
  Caller Process ID: 0x0
  Caller Process Name: -
  Network Information:
  Workstation Name: AOG-LP047
  Source Network Address: 10.10.1.159
  Source Port: 50075
  Detailed Authentication Information:
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0

  Hi,
  It is a known issue if you install the following security updates on March 10, 2015:
  http://support.microsoft.com/en-us/kb/3002657
  The user would be prompted with credentials when NTLM is used to authenticate these Active Directory domain users and services. 
  We can remove this patch from all the DCs manually and check whether the issue persists.
  Regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Winnie Liang
  TechNet Community Support

• Event 672 audit failure after migration to hosted Exchange

  I recently migrated a company to hosted Exchange.  They had been previously using in-house Exchange 2003 (on SBS 2003).  Exchange has been removed form the server and the 2003 SBS server is still running as the DC.
  Right after the migration the server began to recieve Error 672 failure audits, 1000s per day.
  I suspect these can be safely ignored, but is there a way to stop them as they show up on daily security reports.
  -Ken
  Event Type: Failure Audit
  Event Source: Security
  Event Category: Account Logon
  Event ID: 672
  Date:  11/24/2014
  Time:  10:11:40 AM
  User:  NT AUTHORITY\SYSTEM
  Computer: BUZZ
  Description:
  Authentication Ticket Request:
    User Name:  user@hosted Exchange.lan
    Supplied Realm Name: COMPANY.LOCAL 
    User ID:   -
  Service Name:  krbtgt/COMPANY.LOCAL
    Ticket Options:  0x40810010
    Result Code:  0x6
    Ticket Encryption Type: -
    Pre-Authentication Type: -
    Client Address:  192.168.x.x
    Certificate Issuer Name: 
    Certificate Serial Number: 
    Certificate Thumbprint: 

  Hi Ken,
  I suspect these can be safely ignored, but is there a way to stop them as they show up on daily security reports.
  We can stop audit failure events from being logged in Event Viewer by editing audit policy. More specifically, we can set the Group Policy setting
  Audit logon events to not to audit logon failure
  (uncheck the Failure checkbox), here is a screenshot below:
  Best Regards,
  Amy

• Microsoft-Windows-Security-Auditing

  Hi,
  I having issue to isolate and identify the repeat account audit fail issue on sharepoint server.
  Any help on this is appreciated.
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          4/4/2015 3:45:59 AM
  Event ID:      4625
  Task Category: Logon
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      SPT01
  Description:
  An account failed to log on.
  Subject:
   Security ID:  A\admin
   Account Name:  admin
   Account Domain:  A
   Logon ID:  0x176462
  Logon Type:   8
  Account For Which Logon Failed:
   Security ID:  NULL SID
   Account Name:  admin
   Account Domain:  a
  Failure Information:
   Failure Reason:  Unknown user name or bad password.
   Status:   0xc000006d
   Sub Status:  0xc000006a
  Process Information:
   Caller Process ID: 0xed4
   Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
  Network Information:
   Workstation Name: SPT01
   Source Network Address: -
   Source Port:  -
  Detailed Authentication Information:
   Logon Process:  Advapi 
   Authentication Package: Negotiate
   Transited Services: -
   Package Name (NTLM only): -

  Hi,
  Based on the description of the fail issue, the account failed to log on the server and the fail reason was that Unknown user name or bad password.
  From the sub state is 0xc000006a, the description of the sub state is that user name is correct but the password is wrong. I recommend you to check if the password is right.
  You can also check the machine's PHS-AERO health by using:
  NLTEST /SC_VERIFY:domain-name
  And if the result is SUCCESS, you can also try NLTEST /SC_RESET:domain-name several times to see what happens. The SC_RESET command forces the machine to select a new DC to authenticate against and you should see a random switching between your DCs.
  There is a similar case:
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/ae9da10a-b4d2-4eda-ae6d-ad61b7b6ab79/audit-failure-event-id-4625?forum=winserversecurity
  The article below is about Event ID 4625, you can take a look.
  https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
  Best regards,
  Sara Fan
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]