Incorrect username or password for users connecting to server 2025 AD server.

The issue you're experiencing with users being prompted for incorrect usernames or passwords when connecting to your Windows Server 2025 Active Directory (AD) servers could be related to several factors, particularly since this problem occurs randomly and is resolved by rebooting the computers. Here are some potential causes and considerations:

1. Windows Integrated Authentication Issues: If your environment uses Active Directory Federation Services (AD FS), issues with Windows Integrated authentication could lead to this behavior. Ensure that the AD FS settings are correctly configured and that there are no problems with the service principal names (SPNs) associated with your AD FS servers.
2. Network Connectivity: Intermittent network issues between the client machines and the AD servers could cause authentication failures. Check for any network disruptions or firewall rules that may be affecting connectivity.
3. Kerberos Authentication: Since you are using Windows Server 2025, ensure that Kerberos authentication is functioning correctly. Problems with the Key Distribution Center (KDC) could lead to authentication failures. If Event ID 7 is logged, it may indicate issues with KDC requests, although these events can often be ignored if they do not affect system functionality.
4. Domain Firewall Profiles: There have been reports of domain controllers failing to use domain firewall profiles after restarts. This could potentially affect the ability of clients to authenticate properly. Restarting the network adapter on the domain controller can temporarily resolve this issue until the next restart.
5. User Account Issues: Although you mentioned that accounts are not being locked out, ensure that user accounts are not experiencing any other issues, such as expired passwords or account restrictions.

Given the complexity of the issue, it may be beneficial to monitor the event logs on both the client machines and the AD servers for any related errors or warnings that could provide further insights into the problem.

References:

• Event ID 7 on Domain Controllers
• Resolved issues in Windows Server 2025

Hello Zane Baria,

The fact that accounts don’t lock out and the issue is random across different users points away from a simple password problem and more toward how the new Server 2025 domain controllers are handling authentication.

Here’s what’s likely happening: when you introduced the new AD servers, Windows 11 clients began authenticating against them. If there’s a replication delay, a time sync drift, or a Kerberos ticket mismatch, the client may be told “incorrect username or password” even though the credentials are valid. The reboot clears cached tickets and forces a fresh handshake, which is why login succeeds afterward.

A few areas worth checking closely, please kindly have a check:

• Time synchronization: Kerberos is very sensitive to clock skew. Make sure your domain controllers and clients are all syncing against the same reliable time source. Even a few minutes of drift can cause intermittent failures.
• Replication health: Run repadmin /replsummary and check if your two Server 2025 DCs are fully in sync. If one DC is lagging, clients hitting that DC may fail authentication until replication catches up.
• DNS resolution: Confirm that clients are resolving the correct DCs. Misconfigured DNS can cause them to bounce between controllers inconsistently.
• Credential caching: Windows 11 caches credentials locally. If the cache is stale or mismatched with the DC, you’ll see the “incorrect password” message until a reboot clears it.

I hope this helps,

If this guidance proves helpful, please kindly click “Accept Answer” so we know we’re heading in the right direction 😊. And of course, I’m here if you need further clarification or support.

Domic Vo.