1

We have a Windows 2012 R2 RDS server and a Windows 2008 R2 Domain Controller.

Every time a user logs on or off of the RDS server, It logs event 4771 audit failure incorrect username or password for the machine account of the RDS server on the DC. The RDS Server is otherwise working correctly it is just causing an issue with auditing user account failures. 

Kerberos pre-authentication failed.

Account Information:
Security ID:        DOMAIN\RDS$
Account Name:       RDS$

Service Information:
Service Name:       krbtgt/DOMAIN

Network Information:
Client Address:     ::ffff:10.0.0.10
Client Port:        53391

Additional Information:
Ticket Options:     0x40810010
Failure Code:       0x18
Pre-Authentication Type:    2

How can I identify the cause of the event being logged?

Update: this only happens if I connect to the server by RDP, local login does not cause this event to be logged.

On the RDS server after a RDP login the following event is logged 8 times,

An account failed to log on.

Subject:
Security ID:        NULL SID
Account Name:       -
Account Domain:     -
Logon ID:       0x0

Logon Type:         3

Account For Which Logon Failed:
Security ID:        NULL SID
Account Name:       RDS
Account Domain:     DOMAIN

Failure Information:
Failure Reason:     Unknown user name or bad password.
Status:         0xC000006D
Sub Status:     0xC0000064

Process Information:
Caller Process ID:  0x0
Caller Process Name:    -

Network Information:
Workstation Name:   RDS
Source Network Address: ::1
Source Port:        63089

Detailed Authentication Information:
Logon Process:      NtLmSsp 
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only):   -
Key Length:     0
Craig Garnham
  • 21
  • 5
  • Are you asking a question or making a statement? – joeqwerty Mar 06 '17 at 15:54
  • Sub Status `0xC0000064` (in your second event) means the user name does not exist. I don't know what event ID your 2nd event is, but I see that the Account Name is `RDS` not `RDS$`. Is it possible you have a user account (not computer account) named `RDS`? – I say Reinstate Monica Mar 09 '17 at 14:46
  • I've got this same thing - a single server 2012R2 RDS deployment (no hack nonsense, it's part of a domain) - and this 8 simultaneous 4625 is killling my ability to accurately track logon failures. Even stranger, the logged IP is the loopback IPv6 address of the server itself. Quite stumped. – JohnThePro Mar 02 '19 at 01:22
  • @JohnThePro - Are you able to resolve that issue, I am facing exactly what you have mention above. I would appreciate if you could share the fix. – Suleman khan Apr 21 '21 at 08:02
  • Honestly, the only thing I've learned about this error is it seems to regress in and out and of patch cycles, as I don't see this pattern pop up for months at a time. However, when it does, the only thing I know FOR SURE is it ONLY happens after the RDS machines uptime goes over 21 days. Not much help, I know. Sorry. – JohnThePro Jun 28 '21 at 23:48

0 Answers0