4625 log on attempts when we try to SSL Stream AuhtenticateAsServer and AuthenticateAsClient error

Question

4625 log on attempts are happening in event viewer under security whenever tried to authenticate server with certificate and tried with sample certificate as well.

An account failed to log on.

Subject:

Security ID: SYSTEM

Account Name: Test

Account Domain: Test

Logon ID: 0x3E7

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: Test

Account Domain:

Failure Information:

sql

Failure Reason: Unknown user name or bad password.

Status: 0xC000006D

Sub Status: 0xC0000064

Process Information:

powershell

Caller Process ID: 0x5dc

Caller Process Name: C:\Windows\System32\lsass.exe

Network Information:

sql

Workstation Name:

Source Network Address: -

Source Port: -

Detailed Authentication Information:

yaml

Logon Process: Schannel

Authentication Package: Kerberos

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

yaml

Transited services indicate which intermediate services have participated in this logon request.
Package name indicates which sub-protocol was used among the NTLM protocols.
Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Moved from: Windows Insider program | Windows Insider preview | Other

Accepted Answer

Dear Radhika Sridhar

The 4625 entries you provided, i think the key detail is that the logon process is Schannel, which indicates the server is attempting certificate-based authentication but is ultimately falling back to Kerberos, resulting in the “Unknown user name or bad password” failure. This typically occurs when the certificate being used does not map correctly to a valid domain account, or when user certificate mapping is not configured as expected on the server. Additionally, the NULL SID and empty domain field confirm that the system could not associate the certificate with a security principal.

I recommend verifying whether the certificate contains a valid UPN in the Subject Alternative Name (SAN) and ensuring that it matches the corresponding user account in Active Directory. You should also check whether certificate-to-account mapping is configured using either "UPN mapping" or "Explicit mapping" depending on your setup. Since the event is triggered by LSASS, it also helps to confirm that the server trusts the issuing CA and that the certificate chain is complete. Another useful step is enabling Schannel event logging temporarily to get more insights into the TLS handshake and why the mapping fails.

If the authentication is happening through a service or script, ensure that no fallback to password-based authentication is occurring, as Logon Type 3 often suggests a network-based credential request that may not match your intention. Once the certificate mapping issue is resolved, these 4625 failures should stop.

I hope this information is useful. Please feel free if you have any other questions!

If it is, don't forget to "Accept the answer" so that others could benifit in community. Thank you

Answer

The logon event you are encountering, specifically Event ID 4625, indicates a failed logon attempt due to an "Unknown user name or bad password." This can occur for various reasons, including incorrect credentials being used or issues with the authentication process.

Here are some steps you can take to troubleshoot this issue:

Verify Credentials: Ensure that the username and password being used are correct. If you're using a certificate for authentication, ensure that the certificate is valid and properly configured.
Check Account Status: Confirm that the account you are trying to log in with is not locked or disabled.
Review Security Policies: Check the local security policies or Group Policy settings that might restrict logon types or require specific authentication methods.
Network Configuration: Ensure that there are no network issues preventing the authentication request from reaching the domain controller.
Event Viewer Logs: Continue to monitor the Event Viewer for any additional related events that may provide further insights into the failure.
Authentication Method: Since the logon process is using Kerberos, ensure that the Kerberos configuration is correct and that the service principal names (SPNs) are properly set up for the service you are trying to access.

If the issue persists after these checks, consider raising a support ticket with detailed information about the logon attempts and the steps you've already taken to troubleshoot the issue.

References:

Troubleshoot account lockout problems with a Microsoft Entra Domain Services managed domain
"The system administrator has restricted the types of logon" error when connecting to a computer

Share via

4625 log on attempts when we try to SSL Stream AuhtenticateAsServer and AuthenticateAsClient error

1 additional answer

Your answer