Thousands of Event ID 4625 after Citrix user changes password

Junk 430 101 Reputation points
2023-01-05T20:55:18.287+00:00

We are seeing a pattern. Sometimes, not often, after a user changes their password using Citrix Storefront the domain controllers will start logging thousand and thousands of event id 4625 errors. Our SOC and security team freak out and alert everyone.
We're being asked why this happens. Best I can come up with is something or process.. but there is no correlation. The user doesn't have any permissions issues. I've tried to reproduce this using an account with many open Citrix apps and file shares, then change the user password and no errors are generated. It's random.
Has anyone ever seen this before?

Error is:
Security-Auditing Computer=fileshare.hometown.com OriginatingComputer=10.1.1.10 User= Domain= EventID=4625 EventIDCode=4625 EventType=16 EventCategory=12544 RecordNumber=3252830325 TimeGenerated=1672889956 TimeWritten=1672889956 Level=Log Always Keywords=Audit Failure Task=SE_ADT_LOGON_LOGON Opcode=Info Message=An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: joe-user Account Domain: hometown Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: fileshare Source Network Address: 10.1.1.255 Source Port: 59263 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,800 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Thameur-BOURBITA 35,016 Reputation points
    2023-01-05T23:24:30.117+00:00

    Hi,

    I had the same behavior after disabling NTLMv1 and some users and application still used it. When you disable NTLMv1 and you still have a a pplication still use it , you can get a failure logon with the error bad passowrd.

    Please don't forget to mark helpful reply as answer

    0 comments No comments

  2. Junk 430 101 Reputation points
    2023-01-06T14:14:00.307+00:00

    oh.. that's literally exactly what I was thinking. In looking at the error it says the username is correct but the password is wrong, this just smelled like an NTLM mis match.
    I'll look into this.
    Do you have any idea how to track down what app or what is doing this? I don't think the user was using anything other than network shares and FireFox.

    We're looking at a project to disable NTLM auth (accept for any exceptions we find) later this year. I wonder if that would get rid of this or flush out the culprit.


  3. Limitless Technology 44,551 Reputation points
    2023-01-06T14:16:06.67+00:00

    Hello there,

    The event 4625 indicates a computer account failed to logon. You could run NLTEST /SC_RESET:domain-name command with administrative credentials to check domain’s health.

    This is a useful event because it documents each and every failed attempt to logon to the local computer regardless of logon type, location of the user or type of account.

    The below thread discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.

    https://social.technet.microsoft.com/Forums/windows/en-US/4b939aea-bde7-4353-9e9d-b2397e943d7e/thousands-of-failed-login-4625-events-corresponding-with-1003-events-form-securityssp?forum=winserver8gen

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/ae9da10a-b4d2-4eda-ae6d-ad61b7b6ab79/audit-failure-event-id-4625?forum=winserversecurity

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

  4. Junk 430 101 Reputation points
    2023-01-06T20:11:36.027+00:00

    I believe the first reply is onto something. We're looking at disabling NTLM on the Citrix servers to start with. We already had a project to get rid/whitelist NTLM later this year.

    Here's the results:
    Flags: 30 HAS_IP HAS_TIMESERV
    Trusted DC Name \server.domain.com
    Trusted DC Connection Status Status = 0 0x0 NERR_Success
    The command completed successfully

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.