Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,412 questions
Security log audit failure 4776: Logon Account: status-check
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 30%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EST%3C/text%3E%3C/svg%3E)
Steve Thomson
0
Reputation points
I've got a strange one for you. We have Azure VPN Gateway connecting our local network; all servers and file shares are in the cloud. Everything works fine. I have logon auditing enabled and I have a scheduled task running that emails me whenever there is a 4776 error generated in the security log of the domain controller. We have a Sonicwall firewall and we use NetExtender SSL VPN on port 4433 for remote users (with NPS and Authenticator for 2FA) . There is a logon account with the name "status-check" that randomly tries to logon to our domain. By checking the Sonicwall log I found the source of this logon is the same IP as our Azure VPN gateway. I set a firewall rule to block the IP from accessing port 4433 and that reduced the number of attempts from dozens in a row down to less than ten at a time. However it still happens several times a week. I cannot pin down where it is coming from or what port it is going through; the 4776 error does not show a workstation name or any other detail and the netlogon file does not show any detail either. It appears to be coming through the site-to-site VPN though. What is going on here? I can't be the only IT guy that sees this "status-check" trying to log on but Google does not hit anything on it.
Azure VPN Gateway
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,002 questions
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 59%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
ChaitanyaNaykodi-MSFT 23,731 Reputation points Microsoft Employee2024-02-16T02:22:11.6566667+00:00 @Steve Thomson
Thank you for reaching out. In order get more information on this issue. Can you please try and configure a packet capture for the VPN Gateway as shown here and see if you can correlate the traffic with the alert received? Thank you! -
Steve Thomson 0 Reputation points
2024-03-12T14:41:04.8933333+00:00 Update. I'm pretty sure I have eliminated the Azure VPN IP as the source of the logon attempts; it was just a coincidence.
I have been running packet captures on the domain controller and modifying the Sonicwall log settings and still cannot find the source of username "status-check". Every time I think I have found the source it turns out to be something else. I cannot find any log entry that repeatedly coincides with the times of the logon failure. The logon attempt is random and can occur any time 24/7. Sometimes it goes for a more than a day without any attempts and then it will try several times per hour over a random span of time before going silent again. Whatever this is the process has completely disguised itself from any of the usual ways to capture it. I can't see where it is coming from and I can't see the network route it is taking to get to the NPS server.
The only thing I know is that the logon is being rejected by the NPS server - it's logging Audit Failure 6273 and 4625 as well as 4776. So what I have done is enable NPS lockout in the registry.
I will keep plugging away at this and post any relevant update.
-
ChaitanyaNaykodi-MSFT 23,731 Reputation points Microsoft Employee
2024-03-16T01:14:41.2766667+00:00 Thank you for getting back and posting the update above. If you need additional help in resolving the issue you can create a support ticket for this question. If you do not have a support plan, please refer to my private message here. Thank you!
Sign in to comment