Logging of event 4625 in the security log is not 100% in RDS

Question

Hello,

please advise if anyone has encountered this. I am trying to monitor event 4625 in the security log when accessing RD Gateway. The problem is that this event is only logged 75% of the time, strictly speaking only in 3 cases out of 4 possible cases that I am interested in.

Situations that can occur (how the user enters the domain and name). The password is always entered wrong:

1. domain wrong \ user wrong -> record 4625 OK
2. domain wrong \ user OK -> record 4625 OK
3. domain OK \ user wrong -> record 4625 OK
4. domain OK \ user OK -> the record does not appear in the log at all, even though the authentication fails because of the wrong password.

However, if I repeat the same situation when accessing RDWebAccess, i.e. domain OK, user OK, password wrong, record 4625 appears in the log.

Thank you

Answer 1

Hello there,

How are you generating these failed logins? (e.g. RDP fails, ADFS integration, ...)

Confirm member server and domain controller are both set to log failed logons.

Audit filtering settings can limit which events are logged. Ensure that there are no filtering settings in place that might exclude certain logon events. Audit filtering can be configured through the Group Policy Object Editor.

Open "Group Policy Management" (gpedit.msc).

Navigate to "Computer Configuration" > "Windows Settings" > "Security Settings" > "Advanced Audit Policy Configuration" > "Detailed Tracking."

Review the audit settings here to make sure they don't exclude event 4625.

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–

Answer 2

I figured it out. When the correct username is entered, the 4625 event is not generated, the authentication is forwarded to Kerberos. In Kerberos, the authentication failure is under 4771.