Windows error 0xC000006D, -1073741715

Event 4625 Audit Failure NULL SID failed network logons

In 3 separate systems, the following event is being logged many times (between 30 to 4,000 times a day depending on the system) on the domain controller server: An account failed to log on. Subject: Security ID: SYSTEM Account Name: %domainControllerHostname%$ Account Domain: %NetBIOSDomainName% Logon ID: 0x3E7 Logon Type: 3 [...] read more

What is the source of thousands of 4625 Logon Failure errors with Logon Type 8 (NetworkCleartext)?

I have a Windows Server 2008 R2 system that's showing thousands of 4625 Logon Failure errors with Logon Type 8 (NetworkCleartext) in the Security section of the Windows Logs every single day. There are no IP addresses of the systems trying to gain access listed in the Source Network Address, [...] read more

How to bind to AD server in PHP with credentials from trusted domain?

We have several AD servers with established forest trust between them, so Windows users from different domains are able to get access to restricted resources. Suppose we have domainA.com and domainB.com, so any user from the domain domainB.com can login to resource on domainA.com. For security reasons anonymous access to [...] read more

How to find source of 4625 Event ID in windows server 2012

I have many audit failure with event ID 4625 and Logon type 3 in my event log. Is this problem form my server(internal services or applications) ? Or this is brute force attack? Finally How can i find source of this logins and resolve problem? This is detailed information in [...] read more

Lots of FAILURE AUDIT: an account failed to log on entires in Security Log

I have received lots of failure audits on my server. From the log, I have identified the particular machine that is the culprit. How can I identify which process is sending the login request? Do you have any idea how to find out? Below is the detail of the log. [...] read more

Is it possible to mount a CIFS volume using a credentials file against the LOCAL driver?

I'm aware that plugins like docker-volume-netshare exist and I've used them in the past but for this project I am constrained to the local driver only. I can successfully create and use a CIFS volume with the local driver in the traditional sense (passing it the username/password inline) but now [...] read more

Authentication via RADIUS : MSCHAPv2 Error 691

I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request messages are in fact [...] read more

Invalid or expired security context token in WCF web service

All, I have a WCF web service (let's called service "B") hosted under IIS using a service account (VM, Windows 2003 SP2). The service exposes an endpoint that use WSHttpBinding with the default values except for maxReceivedMessageSize, maxBufferPoolSize, maxBufferSize and some of the time outs that have been increased. The [...] read more

What is the correct escaping for autofs mount credentials files?

I have configured autofs on CentOS using /etc/auto.mymount. Something like this: mymount -fstype=cifs,rw,noperm,credentials=/etc/auto.creds.svc_account ://winserver.domain.local/SharedFolder This has been working and still does for some mounts. However a password has been changed for an account which is used for connecting to a Windows server and this now contains all sorts of special [...] read more

Assistance with Audit Failure 4625 messages caused by WCF netTcpBinding with clientCredentialType Certificate

We are having a considerable number of Audit Failure Events (4652) coming through to the Windows Event Log, caused by our WCF services. Question > Does anyone know why we could be receiving these audit log entries, and how > can we stop them from occurring WITHOUT removing certificate security [...] read more

IIS Windows Authentication Rejecting Some Users

We have a very basic SOAP web service setup using Windows Authentication, open for all users: <authentication mode="Windows" /> <authorization> <allow users="*" /> </authorization> The Issue However, some Windows accounts are getting 401 Forbidden errors. What works * A select list of accounts always work (regardless of NTLM/Kerberos, local/external server) [...] read more

How to send mails using SmtpClient and DefaultNetworkCredentials to a distribution list that only allows authenticated senders?

I'm trying to send automated emails from a C# console application from machines to clients all on the same domain via our internal Exchange 2007 server (using SMTP), but I'm hitting a snag with distribution lists that only allow authenticated senders. Basically the mails I'm sending are getting rejected by [...] read more

40k Event Log Errors an hour Unknown Username or bad password

I am getting about 200k of these an hour: An account failed to log on. Subject: Security ID: SYSTEM Account Name: TGSERVER$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 4 Account For Which Logon Failed: Security ID: NULL SID Account Name: administrator Account Domain: TGSERVER Failure Information: Failure Reason: [...] read more

Server 2016 Scheduled Task fails on specific hardware model with error 0x8007052e

I've got a strange problem relating to basic Windows Scheduled tasks that has baffled me for a few weeks now. These jobs fail to run on some servers, but work on others which are running on different hardware/VMs platforms. Initially this was a problem we spotted deep within one of [...] read more

Remote Desktop Server farm stops working

A previously nicely functioning Remote Desktop Server Farm ahs stopped working two days ago. The setup is as follows: * DNS resolves "myfarm.mydomain.local" to the IPs of all the farm member servers * All farm member servers are configured as farm members of farm "myfarm" on Broker MYBROKER * All [...] read more

Windows Web Server Login Attempts

We have a cloud web server serving several e-commerce websites, which is running Windows Server 2008 R2 and IIS 7.5. We access the server via RDC. After looking at the windows security log I can see many many login attempts, which are events: * 4776 - The computer attempted to [...] read more

System Account Logon Failures every 30 seconds

We have two Windows 2008 R2 SP1 servers running in a SQL failover cluster. On one of them we are getting the following events in the security log every 30 seconds. The parts that are blank are actually blank. Has anyone seen similar issues, or assist in tracking down the [...] read more

Must `kinit` user's ticket manually before PAM can mount SMB home directory at login

Ubuntu 14.04 file server Ubuntu 14 Active directory (AD) server running Samba 4 Ubuntu 18 client (fresh install) I've configured for Ubuntu user home directories to be mounted via PAM and SMB/CIFS. The test directory will mount via CIFS manually, but not when called by PAM at the login. The [...] read more

MSCHAPv2 authentication not working

I've been fighting with this for around a week now. I'm trying to get a RADIUS server to authenticate against our Samba-based Active Directory, but I can't get it to work. Because of our infrastructure, PAP will not work. Because AD does not offer a known good plaintext password, CHAP [...] read more

Configure NLA to not use client-side credentials check

Situation: Using a Windows 10 workstation, that's in the domain OFFICE, I initiate a RDP connection using smart card logon and certificates to a RDS gateway in a foreign domain REMOTE. The foreign domain accepts certificates from CA OFFICE-CA that issued certs on the smart card used, which is in [...] read more

Constant Audit Failures in Event Viewer from Users not logged on

Let me start off with some details on my environment: * Windows Active Directory Domain Environment * Domain Controller: Windows Server 2003 R2 * Problem Workstation: Windows 7 Professional 64-bit Lately I've gotten reports of Domain User Accounts being locked out due to excessive Login Failure attempts. I've gotten reports [...] read more

WMI queries can't run with a FQDN?

On my new Azure 2012r2 boxes in a DMZ I can't get a WMI query to work with a FQDN reference. These queries run from the local machine, but need to reference it by FQDN to work with our monitoring solution. It is erroring out with 'access is denied'. The [...] read more

New Server 2012 R2 Essentials generating Audit Failure Event 4625 Null SID Logon Attempts

I am researching a failed login issue that is triggering our monitoring software. Researching the issue, the only other information I could find that was exactly what I was seeing, was on here: Event 4625 Audit Failure NULL SID failed network logons Trying to track this down, I used Process [...] read more

How to send mails using a custom .NET application and Windows authentication to a distribution list that only allows authenticated senders?

This is basically a cross post from my StackOverflow question to see if I can get a server side perspective. I'm trying to send automated emails from a C# console application from machines to clients all on the same domain via our internal Exchange 2007 server (using SMTP), but I'm [...] read more

How to troubleshoot CIFS error -13 (Permission Denied)?

I am trying to mount a share (D$) from Debian (running inside Hyper-V) on my Windows 8 computer, using the following command: sudo mount -v -t cifs //192.168.99.1/D$ /media/d -ocredentials=/home/emi.smbcredentials,sec=ntml However, the command fails with the following output: enter image description here [https://i.stack.imgur.com/3Omxw.png] The share works fine from other computers, [...] read more

Getting lots of Audit Failures in Event Viewer > Security on Windows Server 2008 R2

Over the past few days we have been getting loads of audit failures on the event viewer > security. I suspect they hackers trying to gain access to the server, but they fall into 2 types: One where an IP address is being captured An account failed to log on. [...] read more

How to configure IBM MQ v9 to use Microsoft AD for user authentication

I'm trying to set up Microsoft AD like user repository for IBM MQ v9 Queue Manager , but without success. I read the document https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.ref.adm.doc/q085490_.htm, but it's very unclear with all those diagrams, dashes and arrows. My final goal is to have ability to grant or rewoke authorizations based od [...] read more

Web Service Credentials work from remote but not on the server

I'm calling a web service (named SecurityService) as below: SecurityService.Service securityService = new SecurityService.Service(); securityService.Credentials = networkCredential; return securityService.GetUserToken(); The service has Windows Authentication enabled, nothing else. This piece of code above works, from remote machines. When I push this same code out to the IIS server that this service [...] read more

Self-hosted WCF service and Loopback check

The server is in workgroup (not domain). The self-hosted WCF service is configured with Windows security. Binding is netTcpBinding. <security mode="Transport"> <transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" /> </security> The WCF client runs on the same server. A server certificate is used to encrypt traffic (probably it does not matter) I implemented a [...] read more

MSDTC from a standalone machine to a domain machine

The issue is that we have a website on a standalone webserver (Windows 2003 SP2 - Machine name is TESTAPP which can be sen in the log below) which uses TransactionScope. The SQL Server 2008 R2 machine (Windows Server 2008) is within a domain. When the standalone machine hit's the [...] read more

Simple certificate security of a WCF service using Message security mode

I'm struggling with what seems like a simple task: Create a secure WCF service with Message security option. WCF service should only respond to clients that provide a valid X509 certificate. Once the clients are authenticated, it should treat them as anonymous users but execute their requests. Http is used, [...] read more

ASP.NET MVC intermittent 401 authorization errors

I have an ASP.NET MVC intranet site that uses Windows Authentication (Kerberos) exclusively with pass-through authentication. It is setup to use an app pool (v4/integrated) that uses the Network Service identity. The web site provides a pretty UI on top of a network share that is hosted on another machine [...] read more

FreeRadius, login not working when using mschap

I've been trying to make RADIUS work with Zentyal without success, I've tried logging in with an Android phone and a Windows 10 PC but none of them worked. Joining the domain using LAN works fine, using radtest without mschap works fine too, the problem here seems to be mschap, [...] read more

Why is VSS creating failed logon events (Event ID 4625) when Azure AD Connect is installed?

We have a customer with a Windows Server 2016 domain controller. It's a small business so their server infrastructure consists of a Hyper-V host and this DC. The DC hosts file shares and Azure AD Connect for syncing identity with Office 365. We monitor for event ID 4625 and have [...] read more

Why is my Samba domain member connecting to domain controllers in a trusting domain?

My problem is logspam. I have 2 Windows AD domains with Windows domain controllers. Domain A has some Ubuntu/Samba domain members. I have no issue using accounts in domain A to log into the servers, no problem accessing folders shared from the Ubuntu hosts using AD credentials. Domain B trusts [...] read more

Huge number of events with event id 4625 win 2012 serrver

I am receiving huge number of 4625 events in Win 2012 server. Below is the event details. Account name and the workstation name are the same and is the hostname of the machine in which I am receiving "An account failed to log on" events. Could someone please help me [...] read more

Only one user unable to authenticate against AD using Windows Authentication on a .NET 4.0 web application on iis7

We are having a problem where one user is unable to authenticate using Windows Authentication. The site is configured to allow "All Users" to access the website and I have confirmed that this user is a member of the "Domain Users" group in AD. Looking at this users group membership [...] read more

RDS Logon failure with domain accounts over internet, but not over VPN

We have a domain-joined RDS 2008 R2 server where logons are rejected for domain accounts (even domain admins) coming in directly over the internet, but it works fine over VPN or internally. The RDS server also has a number of local accounts, and those logons work fine directly over the [...] read more

Remote Desktop to Server 2008R2 fails from one particular Win7 client

I have a VPS running Windows Web Server 2008 R2. I'm able to connect using Remote Desktop from my home PC (Windows 7), personal laptop (Windows 7), and work laptop (Windows XP). However, I cannot connect from my work PC (Windows 7). I receive the error "The logon attempt failed" [...] read more

AD Account Keeps Locking out

We have a GPO that states if a user that unsuccessful logs on more than 3 times to lock the account for 30mins We have a single user who keeps getting locked out and there are no services, scheduled tasks running under her account. Audit Log An account failed to [...] read more

How to mount Windows share on boot using mount.cifs and autofs/automount?

I'm having some trouble mounting a network share using autofs. I have added the following line to /etc/auto.master: > /mnt/mountpoint /etc/auto.servername I then created the file /etc/auto.servername with the following contents: > server-ip -fstype=cifs,rw,noperm,user=DOMAIN\username,pass=password ://server-ip/share I then run service autofs restart and ls /mnt/mountpoint to determine whether autofs succeeds in [...] read more

LdapErr: DSID-0C0903AA, data 52e: authenticating against AD '08 with pam_ldap

I have full admin access to the AD '08 server I'm trying to authenticate towards. The error code means invalid credentials, but I wish this was as simple as me typing in the wrong password. First of all, I have a working Apache mod_ldap configuration against the same domain. AuthType [...] read more

IIS 7 Authentication: Certain users can't authenticate, while almost all others can

I'm using IIS 7 Digest authentication to control access to a certain directory containing files. Users access the files through a department website from inside our network and outside. I've set NTFS permissions on the directory to allow a certain AD group to view the files. When I click a [...] read more

Logon failed to localhost using a domain name via remote desktop

I want to connect to localhost via remote desktop, the OS is Windows server 2008 r2. I can connect successfully using 127.0.0.1,::1,localhost and the IP address in the network. But when I tried to connect using the domain name points to it's IP address in the network, I encountered an [...] read more

FreeRadius with Samba 4 using NTLM

I was following this tutorial: http://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto to setup AD integration but I am still experiencing problem with FreeRadius. When I use radtest -t mschap "username" "password" localhost 1812 testing123 it returns: Received Access-Reject Id 250 from 127.0.0.1:1812 to 127.0.0.1:59482 length 38 MS-CHAP-Error = '\000E=691 R=1' (0) -: Expected Access-Accept got [...] read more

Access AD LDS (ADAM) using ADSI (C++) and StartTLS

I need to connect to AD LDS instance using StartTLS and get the list of users from there. Unfortunately it has to be done in the legacy C++ app. I've installed test AD LDS on Windows 2008 R2 machine (running on Network Service), it looks like I've set up SSL [...] read more

Event 4625 Audit failures in logs while RDP is open only to my own IP

This is our windows 2008 R2 server with all the updates installed. I have limited RDP access to my own IPs only (Windows firewall rules). When I try to RDP from any other IP, don't even get username/pass screen (means rules have been set correctly). Also only RDP and http [...] read more

Authentication error sending messages to Windows Service Bus 1.0 on AWS

I am trying to send and receive messages from a local workgroup machine (Windows 7), call it the 'client', to Service Bus 1.0 set up on a workgroup server (hosted on AWS EC2). After many trials and research I'm unable to send messages from the client machine to the server. [...] read more

Clearcase mvfs error while running the build in windows dynamic view

I have the following error while running the build in the dynamic view. It looks like an mvfs caching problem. The build succeeded after I ran it few times but what might be the problem behind it? pid/tid 900/938} cleartext lookup view= vob= dbid=0x80000173 - error 6 [2013/12/14 02:56:10.233] mvfs: [...] read more

Is it possible to use "Transfer-Encoding: Chunked" header with windows authentication?

WinHTTP authentication described here: http://msdn.microsoft.com/en-us/library/windows/desktop/aa383144(v=vs.85).aspx works if I don't use "Transfer-Encoding: Chunked\r\n" header when calling WinHttpSendRequest(). If I do, I'm not able to log on, because WinHttpReceiveResponse() fails after setting credentials with WinHttpSetCredentials() and resending the request again with WinHttpSendRequest(). Since I really need chunked transfer, is it possible to [...] read more

Login fails for some users IIS Windows Authentication from other domain

I have an IIS set up in a domain A, on let's call it the process network. We are using windows-authentication and in this environment everything works as it should. But we also have users on an office network set up in domain B. There is no trust between the [...] read more

Error connecting to WCF service from its hosting server

This may be stupid/not possible. However, what I am trying to achieve is as follows: * I have a VM hosting WCF web services in IIS 7 on Windows Server 2008 * I am using the basichttp binding * The client code runs perfectly on other machines * This server [...] read more

TFS 2010 - Access Denied to Administrator for '/tfs'

I'm trying to set up a TFS2010 (with SP1) server and I keep running into hurdles. The latest prevents me from doing anything useful as every HTTP request to "https://tfs.myserver.com/tfs" results in a HTTP 401. It doesn't matter if these requests come from the TFS Administration Console or from a [...] read more

WCF Identity definition in clustered environment

I apologize in advance for the length of this question, but I wanted to be sure to provide complete information as I have been researching it for weeks. As a followup to this question on WCF authorization errors, I'm trying to determine how to specify the SPN (or should this [...] read more

pam_mount not working when logging in from ssh or console

okay so i configured pam_mount on my centos 6 machine as i did on my centos 7 and 5 machines. But when i login locally or via ssh, pam_mount can't mount my home dir. when i login with a local user, and su to a user who needs the hmoe [...] read more

Mysterious login attempts to windows server

I have a Windows 2008R2 server that is reporting failed login attempts from a number of workstations on our network. Some event log details: Event ID 4625, Status: 0xc000006d, Sub Status: 0xc0000064 Security ID: NULL SID, Account Name: joedoe, Account Domain: Acme Workstation Name: WINXP1, Source Network Address: 192.168.1.23, Source [...] read more

TONS of 4625 events. Failed login attempts. No IP, no username

I have a server that gets keeps getting failed login events (4625). They occur roughly every 20-30 minutes daily. Also appears to be on a schedule. I've tried deleting stored credentials. Disabling RDS. I've tried locating a pattern with Procmon and Wireshark, and at one point thought it might be [...] read more

Connection to Windows SMB share works through smbclient, fails to mount via mount.cifs

I'm trying to access a Windows Server 2019 share (inside a domain) from a CentOS6 host. I can browse the share via smbclient, but mounting fails: Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE CIFS VFS: Send error in SessSetup = -13 CIFS VFS: cifs_mount failed w/return code = -13 On the Windows [...] read more

Mounting Windows shares on Linux using cifs fails after CVE-2020-1472 update

A patch/update to Windows domain controllers to address the CVE-2020-1472 vulnerability at my organization is causing cifs-based mounting of shared drives to fail on Ubuntu Linux machines. The Linux machines are connecting to the Windows shares using directives in /etc/fstab, like so: //12.34.56.78/shared_folder /home/username/shared_folder cifs credentials=/home/username/.smbcredentials,iocharset=utf8,file_mode=0777,dir_mode=0777 0 0 I have [...] read more

WPA2-EAP MSCHAP-V2 NTLM_AUTH and SQL auth

Good morning, I've running an instance of freeradius 3.0 to use WPA2-Enterprise authentication on my wireless lan. The authentication aggainst the AD works like a charm using ntlm_auth, but now I'm trying to authenticate the users being not in the AD via sql. Looking into the debug output of freeradius [...] read more

Multiple Unknown Username Login Attempts for Event ID 4625. Is there a way to narrow down the source?

We've identified an obscene amount of user login attempts from users that are not in our domain. Below are example log files. We can't narrow down where these logins are coming from. None of the computer sources are showing, unfortunately. Is there another way I can narrow down the source [...] read more

Prevent Anonymous logons on windows-server 2016

I can't figure out how to entirely disable anonymous logon on Windows Server 2016 which is not a domain controller (regular instance). With the settings currently set I'm truly surprised to see such logons come through which stands opposite to description of corresponding settings in SecPol.msc I' have turned logon [...] read more

Blocking hack attempts

I need some help. I am seeing a lot of attempted logins in my Security Log. This is a fairly new Godaddy VPS Server running Windows 2008 R2. The attends are with various user IDs, that do repeat. THE LOG ENTRY LOOKS LIKE THIS: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: [...] read more

Cannot use integrated security with netcore app on iis installed as a web site

I have a little test project in netcore (2.1.401) that returns the logged in user via CNTLM. I deployed it to an IIS server following [this guide]. I also added the website to the hosts file. If I deploy it as an application inside the default web site it works [...] read more

Domain service account fails to login locally before successfully logging into the Domain Controller

We are currently seeing an issue in our environment where domain service accounts are attempting to validate against a machine locally. These attempts fail, generating Event 4625 with Sub Status 0xc0000064 (username not found). Once these fail, the accounts attempt to authenticate against the domain controller where they succeed generating [...] read more

Excessive failed logon attempts, cannot trace b/c of missing info

I have a Windows 2008R2 server that is reporting a constant stream of failed logon attempts. Someone is brute-forcing this server and I cannot tell from where. The EvenIDs triggered are 4625 Below is an example of the Audit Entry An account failed to log on. Subject: Security ID: NULL [...] read more

Calling wmic with local user from linux box to windows (NT_STATUS_ACCESS_DENIED)

This question has been asked in various forms but none of the solutions worked for me. I am trying to run icinga from a linux box and one the plugins uses WMI queries. It's failing, so I decided to run simple wmic queries to find the issue. I use the [...] read more

cyberattack by password guessing admin account logon type 3

We have a 2008 R2 virtual server that is only used for logon via RDP or from local console. No VPN traffic is required. The server was under attack for a couple of days, viruses were installed etc. Most of it is cleaned up now but I still see many [...] read more

FreeRADIUS mschap

Following this guide, I am trying to set up FreeRADIUS to authenticate against Active Directory. I can get an Access-Accept message when I send the password in plaintext (using the DEFAULT Auth-Type = ntlm_auth method); however, I want to use mschapv2 so the password is not sent in plaintext. when [...] read more

Windows 2012 RDS Server logon causes Audit Failure 4625

We have a Windows 2012 R2 RDS server and a Windows 2008 R2 Domain Controller. Every time a user logs on or off of the RDS server, It logs event 4771 audit failure incorrect username or password for the machine account of the RDS server on the DC. The RDS [...] read more

HAProxy Docker Container Doing L4 Load Balancing Not Being Transparent

Using the official latest HAProxy Docker container and the following config file: frontend logging_frontend bind *:1514 mode tcp timeout client 1m default_backend logging_backend backend logging_backend mode tcp balance roundrobin timeout connect 10s timeout server 1m server logstash-collector-01 logstash-collector-01:1514 check server logstash-collector-02 logstash-collector-02:1514 check server logstash-collector-03 logstash-collector-03:1514 check I'm getting logs [...] read more

Microsoft-Windows-Security-Auditing Eventcode: 4625 Unstoppable ex user log

An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: xyzuser Account Domain: srkt Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: [...] read more

How are people accessing my server when I have the firewall locked down by IP?

I have several public servers that we remote in to through remote desktop services. I have Remote Desktop - User Mode (tcpip-in) set to only allows specific remote ip addresses through. I have checked and the windows firewall is enabled. I have all of the other rules for remote desktop [...] read more

Getting Error ID 4625 when one service tries to access a shared path on another machine

I'm kind of a n00b when it comes to dealing with Server issues, so I need some help. Setup: I have a scenario where there are two machines involved, both of which are using Windows Server 2008 Standard. One is called the IS Server (has IP 10.1.1.89 and machine name [...] read more

Event_ID 4625 Failed Logon on WinServ2012 Ess

I have been trying to wrap my head around this for a whil, but can't seem to find a solution. I have seen many alike questions here and in other fora, but none match my situation. All other threads have explicit source, account and IP info, but mine doesn't. This [...] read more

Who typed the incorrect credentials during Event 4625?

During a 4625 windows event (failed logon) such as the below who has actually typed the incorrect credentials? a) Was it the user on computer logged in as paulb incorrectly typing admin-user credentials? Or b) is it the user logged in as admin-user incorrectly typing paulb's credentials? WinEvtLog: Security: AUDIT_FAILURE(4625): [...] read more

KDC Certificate error using smartcard and Remote Desktop

Our Active Directory domain recently enforced smart card logons for administrator accounts. Since this change we have been unable to access some servers (2008 R2) using Remote Desktop. When attempting to logon we get the following error message: "The Kerberos protocol encountered an error while validating the KDC certificate during [...] read more

IIS 7.5 Windows Authentication not working (sometimes)

This is a weird one. We were happily running with Windows Authentication on our intranet site until I demoted one of our domain controllers. Now some workstations still work fine and are authenticated automatically, but others cannot get authenticated at all. The browser prompts for credentials and it doesn't matter [...] read more

blocked all but 2 ips for remote desktop services in windows firewall still getting bad logins

I have the following firewall setup in my Advanced Windows Firewall screen: enter image description here [https://i.stack.imgur.com/1AjdR.png] enter image description here [https://i.stack.imgur.com/fWf31.png] If I understand it correctly, only the two ips I have listed should be able to connect to my remote desktop service. Here is the rds setting that [...] read more

Strange permission errors with Windows Server 2008

I just don't know a better way to describe my issue that is driving me nuts. I am trying to establish a test domain with virtual machines on a box that has Win7 with VMwware workstation installed. The purpouse with this domain will be so that we can try and [...] read more

Shared folders Domain Controller not visible on Linux

I'm having a small problem with access to shared folders on a Domain Controller from Linux. Here is my setup: * 1) Windows 2008 R2 SP1 - DC * 2) Windows XP SP 3 * 3) Linux Debian 6 + Samba server + LikeWise Open Situation: * Shares on Windows [...] read more

Diagnosing Logon Audit Failure event log entries

I help a client manage a website that is run on a dedicated web server at a hosting company. Recently, we noticed that over the last two weeks there have been tens of thousands of Audit Failure entries in the Security Event Log with Task Category of Logon - these [...] read more

Windows XP Map drive failed

Greetings, I have a Windows Web Server 2008 VPS and two client machines. One is a Windows 7 box and the other XP. I configured one folder as a share on the 2008 box and attempted to mount it on each of the clients. The catch is it won't work [...] read more

SharePoint service configuration fails on Windows Server 2008 R2

I am building a SharePoint test farm with SharePoint server 2007 Enterprise based on Windows Server 2008 R2. There are 3 different virtual machines (Hyper-V), all in the same domain, UCTEST. When I installed SharePoint and ran the configuration wizard, I entered a domain account (svc_sp) as the main farm [...] read more

permanently mount Samba version 4 share on linux

I want to permanently mount a Samba share on a newly set-up Linux Mint 20.1 system. I'm running Samba version 4.10 on FreeNAS 11.3. I can mount in the current session by running in the terminal (from this manual): sudo mount -t cifs //net-host/share /mnt/share -o user=user,password=mypw,domain=lan To permanently mount [...] read more

Login fails when using FQDN to access local Windows 10 shares

I have a Windows 10 Professional PC running 20H2 build 19042.685. I recently reformatted the PC and freshly installed this version. It was running the same or very similar version prior to the reformat. It is set up with local accounts (not Microsoft accounts), and uses workgroups. Prior to the [...] read more

Unknown IP address trying to log on to my web server

I am getting a few hundred failed logon attempts every hour on my web server running on Windows. I can see that because I enabled auditing of failed logon attempts. In Windows Event Viewer, the log entries do not not show an IP address that I can block: An account [...] read more

Thousands of failed logins [Code 4625]

I'm getting many failed logins on my windows root server. I already blocked RDP Port, but In the event viewer I still see many failed logins. They look like this: Fehler beim Anmelden eines Kontos. Antragsteller: Sicherheits-ID: NULL SID Kontoname: - Kontodomäne: - Anmelde-ID: 0x0 Anmeldetyp: 3 Konto, für das [...] read more

The source workstation is empty in Windows Logs. How to find it?

First, I apologise if I selected a wrong thread for this question. I receive lots of login failures on a DC for an account called as a domain. So obviously instead of a username, someone put there a domain name. And I'm trying to figure out the source of login [...] read more

How to mount a public windows 8.1 share in linux

I have a folder shared on a windows 8.1 machine. It is shared with "Everyone" and "Everyone" has "read/write" access. In the security tab of the properties dialog of the folder, again "Everyone" has been given "Full Control". I specifically want this folder to be publically accessible to everyone in [...] read more

username or password incorrect

Windows 8 - Surface Pro - Active Directory Domain User I was once logged into our domain. At some point I started to get the "The Username or password is incorrect. Try again message." The same domain login and password works on other PCs. I can log in as another [...] read more

Filter events using XML Filtering - Suppress Logon Type = '0'

Im using a custom filter view show attempted local failed logins. This works great apart from it still shows failed logins from Logon Type '0' Ive tried suprressing these events and they still show. Here is my filter <QueryList> <Query Id="0" Path="ForwardedEvents"> <Select Path="ForwardedEvents"> *[ EventData[Data[@Name='LogonType']='3'] and EventData[Data[@Name="SubjectUserSid"] = "S-1-0-0"] [...] read more

Windows EC2 server security event log

New to this forum and IT. Have a windows server on AWS and find that the windows security event log has 200,000 invalid login attempts. every few second get an "audit failure" log entry. questions: 1. How common is this? 2. What can be done to stop it? (they come [...] read more

How to prevent NTLM login

I have continues login request on windows server 2016. Each time it requested different IP address,also the countries where we don't have user for sure,because we have only a 10 users in one country in one office only,we sure all in One country . I know our server should have [...] read more

configure log verbosity of freeradius

I installed freeradius 3.0.16 on Ubuntu (bionic) and it works fine. However, the logging in /var/log/freeradius.log is too verbose for my taste: # cut -d: -f4 radius.log | sort | uniq -c 609 Auth 22 Error 261 ERROR 2262 Info 51 Warning I'd like to get rid of all thos [...] read more

WinRM password as encrypted string in ansible host file?

I want to use WinRM to communicate via ansible with my Windows host. I've configured WinRM and specified the credentials in the ansible hosts file in plain text. Ping is working. Now I want to specify the password as encrypted - but whats the best approach here? I've tried to [...] read more

How to map a string that contains key values separated by "=" to JSON?

I am writing a cronjob that ingests logs in lumberjack/beats format and converts the incoming log to JSON. Input is a string containing a list of key/value (nested) separated by = I want to parse/map it to a JSON using Javascript I have written this snippet to convert this which [...] read more

Windows authentication on a WCF service fails after password change

We have a windows service hosting some wcf web services that are authenticated with wsHttpBindings. A user experienced authentication issues and it turned out her password had expired. She then changed her password and restarted the computer. After this password change she was no longer able to access the web [...] read more

.NET project stopped sending emails after server migration

I migrated a .NET Framework REST API project into a new server and new domain. The OS on both the previous and the new server are Windows Server 2016. I'm using gmail smtp server over SSL/TLS. The relevant ports are open in AWS (where I migrated to). I am able [...] read more

Lot of Windows Logs within a minute for SQL Server Login and Windows Logon attempts

I have been facing issue in my Windows Server 2008 R2 that there are thousands of Audit failure logs and MSSQLSERVER logon failed attempts logs as follows. 1. Audit Failure Log Details : An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - [...] read more

AD users getting locked out every 20 seconds

I have been searching high and low for an answer, but I cannot seem to figure out why a few of our users keep getting locked out every 30 seconds. I unlock the account and then can watch the login attempts within seconds lock them out. I have tried tools [...] read more

OpenVPN, ProxyRADIUS MS-CHAP and Windows AD

Trying to set up VPN authentication against different realms/windows domains. I'm using OpenVPN Access Server which directs all authentication requests (username in the form of user@domain) to FreeRADIUS server (3.0.15) with required proxy.conf and realms config so that forwards (proxies) the access-request to home server. The OpenVPN is configured to [...] read more

Windows Identity always anonymous in ASP.NET request pipeline

I'm trying to create a simple action filter for my MVC site that checks the current Windows user against those allowed access to the site. For some reason, the filterContext.HttpContext.User.Identity object is always set to anonymous with no username. I've tried to grab it at different stages (OnAuthenticate and OnAuthorize), [...] read more

An error occurred while making the HTTPS request to service? No trace on service?

I have a solution containing 2 WCF services Selfhosted in one Window Service, one for regular http and one for https. The client can connect to the http service but when connecting to the https service I get : > An error occurred while making the HTTP request to > [...] read more

Event 4625 windows security auditing failed to logon. Failure Reason:Unknown user name or bad password

I have Windows server 2012 R2 azure virtual instance and few ports are open on it i.e. (80,443,RDC). I have observed the below logs into windows event viewer in security section. Event 4625 : Microsoft windows security auditing -------log description start An account failed to log on. Subject: Security ID: [...] read more

Web deploy 401. IIS and apppool?

Web deploy works when I publish from visual studio but fails when I call msdeploy.exe. The failure is 401 unauthorized but both ways use the same iis account to login. Both ways go via WMSVC. This is the web deploy command msdeploy.exe -source:package='MyZip.Api.zip' -dest:auto,computerName='https://94.236.2.239/MSDeploy.axd?site=MySitei',userName=myusername,password=mypassowrd,authtype=basic,includeAcls=false -verb:sync -disableLink:AppPoolExtension -disableLink:ContentExtension -disableLink:CertificateExtension -setParamFile:"MySetParameters.xml" -allowUntrusted [...] read more

freeradius stops working after some time

I've got freeradius 2.1.12 running under Ubuntu 14.04, authenticating against a Windows 2012 Active Directory controller. While working fine most of the time, it may happen after a few days of running that suddenly valid users fail to authenticate. The log may then show things like Login incorrect (mschap: External [...] read more

Power BI: Enterprise Gateway can't connect: "NULL SID" in Eventlog

I want to connect multidimensional cubes within Power BI. It's working in Power BI Desktop within our local domain. After publishing the report to Power BI I set up the Power BI Enterprise Gateway on our development Server (see Details below). The Power BI Services can connect to my Gateway, [...] read more

HTTP Error 401.2 and Login Error 0x80090325 During Client Certificate Mapping Authentication

I am receiving HTTP error 401.2 when trying to authenticate to a website in IIS using the client certificate mapping module (clientCertificateMappingAuthentication). I have followed the instructions to set this up on a new website that serves a single html page. I've enabled client certificate mapping at the applicationhost.config level [...] read more

Release Management for Visual Studio 2013 - Deployment Agent "Unknown username or bad password"

We're using Release Management for Visual Studio 2013 and deployments are working smoothly in DEV, QA and Staging servers, which are all in the same domain as the RM/Build server. Trying to setup Production deployment agent on a server that is outside the RM server domain and having issues. A [...] read more

How do I know which type of authentication Active Directory is using?

I've been trying to connect to a web service using Active Directory credentials and on the server side this is what the event viewer shows: 08/06/2014 05:50:39 p.m. An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: [...] read more

install xen-desktop with AD Domain user with windows system user

While login to windows with local administrator and install xendesktop with AD administrator account, it's successful, below is what i have done: $adPassword= convertto-securestring "password" -asplaintext -force $adCredObject = new-object -typename System.Management.Automation.PSCredential -argumentlist "ad.mydomain.com\user",$adPassword $CurrentProcess = Start-Process -FilePath ".\xendesktop\x64\XenDesktop Setup\XenDesktopServerSetup.exe" -Credential $adCredObject -Wait -PassThru -ArgumentList "/COMPONENTS CONTROLLER,DESKTOPSTUDIO,DESKTOPDIRECTOR,LICENSESERVER,STOREFRONT /NOREBOOT /CONFIGURE_FIREWALL" But [...] read more

Unraid share fails to mount on OpenWRT using mount.cifs?

So I have an Unraid machine with some shares on it and I would like to be able to mount this share on my OpenWRT router for backing up/transfering files onto the router (avoids having to plug-in/remove USB constantly as the share is also mounted on my desktop). I followed [...] read more

Network share wrong credential only on server 2012 R2

First time posting here also English not my first language. We have a issue with a network share. This share is setup by another company and we are using VPN to communicate with it. When running \\bunny\ on the Windows Server 2012 R2 we get "Wrong username or Password". Running [...] read more

Windows Server 2012 R2 Logon failure

I have a Windows 2012 R2 server which has Remote Desktop connections allowed from a very strict range of ips. I keep getting this alerts, like at least 1-2/second win.system.systemTime: 2021-03-01T12:33:53.618157900Z win.system.eventRecordID: 172551097 win.system.processID: 588 win.system.threadID: 9160 win.system.channel: Security win.system.computer: WIN-OMVGMPM1RNF win.system.severityValue: AUDIT_FAILURE win.system.message: "An account failed to log on. [...] read more

WHfB - Hybrid Certificate Trust - Failed provisioning

After setting up Windows Hello for Business, in a Hybrid Azure AD joined Certificate Trust Deployment scenario, i ended up with the following events in my test client machine after a failed provisioning. I reviewed my setup, but i must be missing something. Any help would be highly appreciated. ############################## [...] read more

Problems accessing shared folder in Windows clustered file Server 2008 R2

Firs of all I need to apologise for my poor technical and language skills. I will try to describe a problem as detail as I can. There is subnet 172.16.10.0/24 In this subnet I have 3 servers 1 storage and 7 workstations (real count are many more). All this machines [...] read more

Network Login Attempts

I'm having a strange issue whereby a PC keeps on trying to connect to our file server as an account that's not recognised by the server. Looking at the event on the server it's trying to connect to, the login attempt is coming from a local account that we've setup [...] read more

Constant login failures in event viewer with changing ports

We have a Windows Server 2016 webserver that acts as a hosting server and receives constant login attempts. Fortunately they all fail but it's filling our SIEM with alerts for repeated login attempts. On all our other servers, we locked down the RDP port so that it can only be [...] read more

Security Log Event ID 4625 - An account failed to log on every few minutes - random source IP addresses

A fairly new MS Windows Server 2019 VM installation is logging over a hundred Security Log Audit Failures a day with Event ID 4625. RDP for the server is enabled only for a single trusted WAN source IP through the Draytek Firewall. The server hosts 2 local applications and an [...] read more

Unable to use Azure AD accounts to remotely authenticate to Windows

How can I use an Azure AD account to remotely authenticate to Azure AD-joined Windows? I have: 1. Tried authenticating remotely using Azure AD accounts and every sign-in format that I'm aware of (listed below) but all result in error message The user name or password is incorrect and Audit [...] read more

Find application causing account lockout on windows server 2012 R2

One of my account is being locked out from a windows server, it was tracked down using the Security Audit which produced event ID 4740. Its a Windows server 2012 R2 running only WSUS service. I think the account is locked almost every 90 minutes close to GPupdate run. I [...] read more

Windows Server 2008 Shared Folder Access

I have a Windows Server 2008 with a folder shared. When i try to access the shared folder from within the network i get this Audit Failure: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 [...] read more

Windows Server 2012 R2 - Help finding failed logon attempts source

I'm seeking help for this issue that I'm having in our AD domain controller where a lot of security events are being logged due to failed logon attempts by a (former) domain user that has been disabled and subsequently deleted. I'm trying to pin-point the origin of these attempts but [...] read more

Brute force attack with no IP to trace

I am getting constant event 4625 messages saying that accounts are failing to log in with non-existent usernames. Names such as: SALES, USER, TEST, HELPDESK, SUPPORT, PROGRAMMER are not users of ours, but we are getting 20 or so messages every minute saying accounts such as these are trying to [...] read more

cifs mount alternately sends wrong passwd

short version: the NETAPP logs show that from our client (debian 8.7, cifs=2:6.4-1) machine the login fails alternatively. I.e. it is like one time it sends the good password, and then some wrong password, then again the good one, then again the wrong, etc (see logs at the end of [...] read more

How to mount a Mac OS X 10.10 shared volume with Ubuntu Server 14.04

I'm attempting to mount a Mac OS X 10.10 shared volume via Ubuntu Server 14.04.1. I've set this up successfully between two Macs but I'm having a problem Ubuntu to Mac. I've setup the shared volume "myStorage" via the Mac's Sharing System Preference panel. I've setup autofs file on the [...] read more

Sudden login failure on RDS server on Windows 2012

So, my knowledge on Remote desktop services is not so good, but I managed to get it up and running last year, it's been working just fine for eight months. Now today no Remote desktop users can login. Console sessions are working fine though. I checked and the licensing is [...] read more

pam_mount on centos won't mount cifs

so I have this problem that pam_mount won't mount my cifs home dirs pam_mount has this in /var/log/messages: Feb 3 15:49:18 centosy nslcd[1278]: [3c9869] <passwd="tomas"> (re)loading /etc/nsswitch.conf Feb 3 15:49:20 centosy systemd: Starting user-3000044.slice. Feb 3 15:49:20 centosy systemd: Created slice user-3000044.slice. Feb 3 15:49:20 centosy systemd: Starting Session 1 [...] read more

Mounting NAS drive with cifs using credentials file through fstab does not work

I can mount the drive in the following way, no problem there: mount -t cifs //nas/home /mnt/nas -o username=username,password=pass\!word,uid=1000,gid=100,rw,suid However if I try to mount it via fstab I get the following error: //nas/home /mnt/nas cifs iocharset=utf8,credentials=/home/username/.smbcredentials,uid=1000,gid=100 0 0 auto .smbcredentials file looks like this: username=username password=pass\!word Note the ! [...] read more

Can't RDP to domain member as a domain user

I've added a new domain user - who is a member of the "Remote Desktop Users" group, but they are unable to log in to a domain member. The error in event viewer is Account For Which Logon Failed: Security ID: NULL SID Account Name: myaccount@mydomain.local Account Domain: Failure Information: [...] read more

Determine windows server attack? Should I monitor the server and block IPs all the day?

While Viewing the windows server 2008 event log, I always find many security events 4625/logon as follows: **An account failed to log on.** Subject: Security ID: SYSTEM Account Name: Sever-Name Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 10 Account For Which Logon Failed: Security ID: NULL SID Account Name: [...] read more

XenServer 5.6.0 / XenCenter not allowing SR to Windows 7 share on Domain Controller for ISO's

I'm unable to get an SR made using command prompt or using XenCenter's interface dialogs. Here is the command I'm issuing: xe-mount-iso-sr //<mycomputer.domain.controller>/iso_share -o username=<my_domain_username>,password=<my_domain_password,domainname=ucads,sec=ntlmv2 Here is the response from the command: ======================= CIFS VFS: No response for cmd 114 mid 45629 Status code returned 0xc000006d NT_STATUS_LOGON_FAILURE CIFS VFS: Send [...] read more

Constant Errors on SQL server, Event ID 28005 and 4625

We have been getting the following errors on our SQL 2008 R2 server several times a second. I have searched the internet to its ends and I cannot find a solution that will work in our situation. I have found several solutions online, but most of them will not work [...] read more

Radius Authorization against ActiveDirectory and the users file

I have a problem with my freeradius server configuration. I want to be able to authenticate users against Windows ActiveDirectory (2008 R2) and the users file, because some of my co-workers are not listed in AD. We use the freeradius server to authenticate WLAN users. (PEAP/MSCHAPv2) AD Authentication works great, [...] read more

Remote Desktop Services Gateway Issue

Alright fellow techies here's the rundown. I have installed Server 2008 r2 Remote Dekstop Services on a VM in my network. I installed the following RD role services: RD Session Host, Licensing, Connection Broker, Gateway, Web Access. When I set things up originally, the gateway server and RDWeb worked as [...] read more

Windows Security Log: Mysterious Audits?

I'm using Windows Web Server 2008 R2 and having these log events 10-20 times each day: An account failed to log on. Subject: Security ID: SYSTEM Account Name: SERVER241$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 10 Account For Which Logon Failed: Security ID: NULL SID Account Name: administrator [...] read more

Netdom to restore machine secret

I have a number of virtual machines that have not been switched on for over a month, and some others which have been rolled back to an older state. They are members of a domain, and have expired their machine secrets; thus unable to authenticate with the domain any longer. [...] read more