Security event 4625 gets logged continuously

Question

Security event 4625 gets logged continuously

MasTer 0

Hello Team,

One of our 2 domain controllers have this security event logged continuously.

The forest and domain functional level is 2016.

Microsoft Windows security auditing. Event id 4625

Audit Failure

An account failed to log on.

Subject:

Security ID: NULL SID

Account Name: -

Account Domain: -

Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:

Security ID: NULL SID

Account Name: StatesDC01$

Account Domain: Statesmen.com

Failure Information:

Failure Reason: An Error occured during Logon.

Status: 0xC000006D

Sub Status: 0x0

Process Information:

Caller Process ID: 0x0

Caller Process Name: -

Network Information:

Workstation Name: StatesDC01

Source Network Address: -

Source Port: -

Detailed Authentication Information:

Logon Process:

Authentication Package: NTLM

Transited Services: -

Package Name (NTLM only): -

Key Length: 0

System
Provider

[ Name] Microsoft-Windows-Security-Auditing

[ Guid] {54849625-5478-4994-a5ba-3e3b0328c30d}

EventID 4625

Version 0

Level 0

Task 12544

Opcode 0

Keywords 0x8010000000000000

TimeCreated

[ SystemTime] 2025-02-12T12:36:07.8544759Z

EventRecordID 235207029996

Correlation

[ ActivityID] {af0850f5-7d33-0003-3351-08af337ddb01}

Execution

[ ProcessID] 672

[ ThreadID] 876

Channel Security

Computer StatesDC01.Statesmen.com

Security

EventData

SubjectUserSid S-1-0-0

SubjectUserName -

SubjectDomainName -

SubjectLogonId 0x0

TargetUserSid S-1-0-0

TargetUserName StatesDC01$

TargetDomainName Statesmen

Status 0xc000006d

FailureReason %%2304

SubStatus 0x0

LogonType 3

LogonProcessName

AuthenticationPackageName NTLM

WorkstationName StatesDC01

TransmittedServices -

LmPackageName -

KeyLength 0

ProcessId 0x0

ProcessName -

IpAddress -

IpPort -

The event logged on only FSMO role holder DC. The secure channel is broken when this DC authenticates to itself. If the roles are moved to the other available DC(StatesDC02), the secure channel shown broken there too and the secure channel is fine on the previous DC(StatesDC01). Then events starts logging in the second DC which holds the FSMO roles. Please let me know how to remediate this. There is no recent changes done in the environment.

Tried steps-

1- Time sync is fine

2- Replication is working fine

3- DNS is fine

4- SPNs are below. Please check.

setspn -L statedDC01

Registered ServicePrincipalNames for CN=statedDC01,OU=Domain Controllers,DC=States,DC=com:

GC/statedDC01.States.com

RPC/155eda5e-43dc-46cc-8ade-5608bf619bbf._msdcs.States.com

ldap/statedDC01/STATES

ldap/155eda5e-43dc-46cc-8ade-5608bf619bbf._msdcs.States.com

ldap/statedDC01.States.com/STATES

ldap/statedDC01

ldap/statedDC01.states.com

ldap/statedDC01.states.com/DomainDnsZones.states.com

ldap/statedDC01.states.com/ForestDnsZones.states.com

E3514235-4B06-11D1-AB04-00C04FC2DCD2/155eda5e-43dc-46cc-8ade-5608bf619bbf/states.com

DNS/statedDC01.states.com

HOST/statedDC01/STATES

HOST/statedDC01.states.com/STATES

exchangeAB/statedDC01

exchangeAB/statedDC01.states.com

HOST/statedDC01.states.com

WSMAN/statedDC01

WSMAN/statedDC01.states.com

Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/statedDC01.states.com

TERMSRV/statedDC01

TERMSRV/statedDC01.states.com

NtfSvc/155eda5e-43dc-46cc-8ade-5608bf619bbf

RestrictedKrbHost/statedDC01

RestrictedKrbHost/statedDC01.states.com

HOST/statedDC01.states.com

5- Tried resetting the domain computer password and repairing securechannel. But the issue persists on FSMO holder DC.

All the above details are related to PDC.

I am adding some more warning events to help understand it more deeper.

Event ID 6037 in PDC

The program svchost.exe, with the assigned process ID 3228, could not authenticate locally by using the target name HOST/.. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.

Try a different target name.

Event ID 36886 in PDC

No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

The SSPI client process is %2 (PID: %1).

Event ID 3096 in PDC

The primary Domain Controller for this domain could not be located.

I am posting this in Windows Server, please move to any other appropriate session if needed.

2 answers

Your answer

Answer 1

Hello

Thank you for posting in Q&A forum.

Event ID 4625 indicates a failed logon attempt, it can be due to several reasons.

Here are some steps to help you troubleshoot:

Ensure that there are no saved credentials with incorrect passwords. Sometimes, services or scheduled tasks might be using outdated or incorrect passwords.
Verify if the account is getting locked out due to multiple failed logon attempts. You can adjust the account lockout policies to reduce the frequency of lockouts.
Enable auditing for logon events to get more details about the failed logon attempts. This can help identify the source of the issue.
Identify if any services or scheduled tasks are using the affected account. Update the credentials if necessary.
Look at the details in the security logs to identify the source of the failed logon attempts. This can include the IP address, the account name, and the logon type.
Ensure that all passwords are up-to-date and synchronized across all systems and services. 7. Run a thorough malware scan to ensure that there are no malicious programs attempting to log in with incorrect credentials.

Reference:

Event ID 4625: How to Fix the Failed Logon Error - Windows Report

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

MasTer 0 Reputation points

2025-02-28T12:34:25.6533333+00:00

Thank you for your response. Appreciate your effort, but I kindly request a deeper look into the actual issue at hand. The core problem is that the PDC is encountering authentication errors with itself — this is not related to saved credentials or the other points mentioned, all of which were thoroughly checked and ruled out during the initial troubleshooting steps.

It’s important to highlight that the secure channel appears broken, and the DC's computer account is showing authentication issue with itself. Additionally, no updates were installed prior to the occurrence of this issue.

I would greatly appreciate your support in focusing on these specific details to help identify the root cause.

The domain and forest functional level is Windows Server 2016.

Test-ComputerSecureChannel : Cannot verify the secure channel for local Operation failed with the following exception: The specified domain either does not exist or could not be contacted.

Answer 2

MasTer 0

I have added some more details including SPN details and events in the previous question. Please share your insights on those.

Share via

Security event 4625 gets logged continuously

2 answers

Your answer