Share via

Credentials Processes in Windows Authentication

Bilal.S 0 Reputation points
2023-01-24T15:29:47.5866667+00:00

Hey Microsoft community!

Please I need some explanation about a case I have in event logs I receive related to LSASS process in Windows.

In a domain-based environment, I am getting NTLM authentication events (event ID 4624) in the target machine where LogonType is 3 (Network).

User's image

After that LsaRegisterLogonProcess() was called to register the logon and authenticate the session (again in the target machine).

User's image

After the logon attempt was successful I received a lot of audit_failure events coming from the SAM service such as the one below

User's image

Then event 4648 was logged

User's image

And event 4624 with LogonType 10 (RDP)

User's image

After RDP logon, LsaRegisterLogonProcess was called again and there were no audit failure events from SAM after it this time..

User's image

I have two questions for this,

1- Why wouldn't the logon event (4624) and LsaRegisterLogonProcess be logged into the AD domain server instead.. knowing I checked the event viewer logs there and didn't find such events? Based on my knowledge that logon events and authentication of domain accounts should be logged in the AD server..

2- Why do I have a lot of Audit_failure events following to the LsaRegisterLogonProcess()?

Thanks,

Bilal.

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 45,051 Reputation points
    2023-01-25T16:36:01.56+00:00

    Hi,

    Thank you for posting your query.

    Kindly follow the steps provided below to resolve your issue.

    Windows credentials management is the process by which the operating system receives the credentials from the service or user and secures that information for future presentation to the authenticating target. In the case of a domain-joined computer, the authenticating target is the domain controller. The credentials used in authentication are digital documents that associate the user's identity to some form of proof of authenticity, such as a certificate, a password, or a PIN.

    Go to this link for your reference and other troubleshooting procedures https://learn.microsoft.com/en-us/windows-server/security/windows-authentication/credentials-processes-in-windows-authentication

    Do not hesitate to message us if you need further assistance.

    If the answer is helpful kindly click "Accept as Answer" and up vote it

    0 comments
  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.