Windows 2012 RDS Server logon causes Audit Failure 4625

1

We have a Windows 2012 R2 RDS server and a Windows 2008 R2 Domain Controller.

Every time a user logs on or off of the RDS server, It logs event 4771 audit failure incorrect username or password for the machine account of the RDS server on the DC. The RDS Server is otherwise working correctly it is just causing an issue with auditing user account failures.

Kerberos pre-authentication failed.

Account Information:
Security ID:        DOMAIN\RDS$
Account Name:       RDS$

Service Information:
Service Name:       krbtgt/DOMAIN

Network Information:
Client Address:     ::ffff:10.0.0.10
Client Port:        53391

Additional Information:
Ticket Options:     0x40810010
Failure Code:       0x18
Pre-Authentication Type:    2

How can I identify the cause of the event being logged?

Update: this only happens if I connect to the server by RDP, local login does not cause this event to be logged.

On the RDS server after a RDP login the following event is logged 8 times,

An account failed to log on.

Subject:
Security ID:        NULL SID
Account Name:       -
Account Domain:     -
Logon ID:       0x0

Logon Type:         3

Account For Which Logon Failed:
Security ID:        NULL SID
Account Name:       RDS
Account Domain:     DOMAIN

Failure Information:
Failure Reason:     Unknown user name or bad password.
Status:         0xC000006D
Sub Status:     0xC0000064

Process Information:
Caller Process ID:  0x0
Caller Process Name:    -

Network Information:
Workstation Name:   RDS
Source Network Address: ::1
Source Port:        63089

Detailed Authentication Information:
Logon Process:      NtLmSsp 
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only):   -
Key Length:     0
windows-server-2008-r2
windows-server-2012-r2
eventviewer
asked on Server Fault Mar 6, 2017 by Craig Garnham • edited Mar 7, 2017 by Craig Garnham

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0