No event 4625 generated on failed login

Crasher 121 Reputation points
2021-03-10T23:06:17.257+00:00

I have a weird situation, I set up a RD Gateway. When doing some self testing brute forcing logins almost no event 4625 get logged on the gateway. I tried a password about 30 times and I only got two 4625 events.

I do see on the DC the failed logons, and lockouts do occur, just event 4625 don't get logged on the gateway.

What could be causing this weird behavior?

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,189 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Grace HE 1,236 Reputation points
    2021-03-11T05:08:18.527+00:00

    Hi,
    Thank you for posting your query. Here is an official link you may refer to.

    4625(F): An account failed to log on.
    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

    ---If the suggestions above are helpful, please ACCEPT ANSWER. Really appreciate. This will also help others with similar issue to find this post quickly. ---

    0 comments No comments

  2. Crasher 121 Reputation points
    2021-03-11T15:01:43.13+00:00

    Thanks, but my question is why are these events NOT being logged on failed logons?

    I did notice something interesting, if I try logging in with a wrong user name, event 4625 does get generated per attempt, but if I use a correct user name 99% I don't get an event 4625, I write 99% because as I was testing yesterday I did manage to somehow trigger two event 4625's with correct user names.

    Any advise would be appreciated.

    0 comments No comments

  3. Crasher 121 Reputation points
    2021-03-15T14:56:44.55+00:00

    Nothing?! no one else noticed this behavior?

    0 comments No comments