question

Crasher-2955 avatar image
0 Votes"
Crasher-2955 asked ·

No event 4625 generated on failed login

I have a weird situation, I set up a RD Gateway. When doing some self testing brute forcing logins almost no event 4625 get logged on the gateway. I tried a password about 30 times and I only got two 4625 events.

I do see on the DC the failed logons, and lockouts do occur, just event 4625 don't get logged on the gateway.

What could be causing this weird behavior?

windows-remote-desktop-services
· 1
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Sincerely sorry for not replying. We are working on it. This may be complex and needs tests.
According to your description, more information would be grateful. When you got the event 4625, did you notice the Windows logon status codes? And what is that? Could you please share the screenshot without your private information?
77974-capture.png


0 Votes 0 ·
capture.png (172.0 KiB)
GraceHE-MSFT avatar image
0 Votes"
GraceHE-MSFT answered ·

Hi,
Thank you for posting your query. Here is an official link you may refer to.

4625(F): An account failed to log on.
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

---If the suggestions above are helpful, please ACCEPT ANSWER. Really appreciate. This will also help others with similar issue to find this post quickly. ---

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crasher-2955 avatar image
0 Votes"
Crasher-2955 answered ·

Thanks, but my question is why are these events NOT being logged on failed logons?


I did notice something interesting, if I try logging in with a wrong user name, event 4625 does get generated per attempt, but if I use a correct user name 99% I don't get an event 4625, I write 99% because as I was testing yesterday I did manage to somehow trigger two event 4625's with correct user names.

Any advise would be appreciated.


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crasher-2955 avatar image
0 Votes"
Crasher-2955 answered ·

Nothing?! no one else noticed this behavior?

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.