Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Event information for Windows failed logon

Event information for Windows failed logon

Updated January 22, 2018

Overview

Microsoft® Remote Desktop Protocol (RDP) logon failures do not generate a 4625 event as expected. Instead, a 4771 event (UserAuthTicketFailure) event is logged.

Environment

All LEM versions

Detail

When you track logon failures, not all login failures are captured with a 4625 event. This event only captures logon failures to local machines or local accounts.

Using RDP

Using RDP to connect as .\administrator or another local account will authenticate against the local machine and create a 4625 event.

Using a domain account

Using a domain account interactively (logging in through a virtual console or directly logging in to the machine) creates a 4625 event.

When using a domain account and RDP, a 4771 event is logged because the account is checked against the domain controller. The account is not authenticated against the local machine or the cached credentials on the local machine.

Because Kerberos is used for this process, a 4771 event is logged for a pre-authentication failure. This event logs the source machine and source account of the logon failure, but does not contain information for the destination machine. This is a limitation for the generated event information.

Changing the audit policy or troubleshooting the issue will not yield the intended destination of the login attempt because it is terminated at the Domain Controller.

 

 

Last modified

Tags

Classifications

Public