Event ID: 4625 Thrown while using IADs::Get() method

Selva Kumaresan 0 Reputation points
2024-03-04T16:10:39.34+00:00

I am using IADS::Get() method to retrieve "ntSecurityDescriptor" from IADS interface.

Code Snippet:

HRESULT hr = S_OK;

IADs* pADs = NULL;

BSTR attrName = SysAllocString(L"ntSecurityDescriptor");

VARIANT svar;

VariantInit(&svar);

hr = ADsOpenObject(dn, user, pass, ADS_SECURE_AUTHENTICATION, IID_IADs, (void**)&pADs);

if (!SUCCEEDED(hr)) {

cout << "ADsOpenObject Failed:" << hex << hr << endl;

goto Cleanup;

}

hr = pADs->Get(attrName, &svar);

if (!SUCCEEDED(hr)) {

cout << "Get Failed:" << hex << hr << endl;

goto Cleanup;

}

Here, I didn't receive any error codes, but the Event Number 4625 is thrown in event viewer.

To verify which function causes the issue, I set some breakpoints and wait for each function to finish and checked the Event Viewer for event, and I found that ADsOpenObject() worked fine and it bound with the LDAP path, username and password provided. But after the execution of IADS::Get() function, the event number 4625 is thrown in Event Viewer. From analyzing the Event Viewer, I found that while calling the function IADS::Get(), it is using the System's logged in account credentials to fetch data instead of the credentials that is bound to the IADS object, this causes the error.

Event Details:

An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: test Account Domain: testDomain Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: testMachine Source Network Address: x.x.x.x Source Port: x Detailed Authentication Information: Logon Process: NtLmSsp  Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0

Here, the account name used is the local account, but I bound the IADS object with different username and domain, and it is not being used in IADS::Get(). How to fix this issue? How to configure IADS to make it use the credentials provided in ADsOpenObject() method?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,911 questions
Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,581 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,417 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Selva Kumaresan 0 Reputation points
    2024-03-05T06:54:40.6233333+00:00

    Found the problem and its solution.

    The Problem:
    While calling IADS:Get(), it is internally using local account credentials.

    The Solution:
    Call WNetAddConnection2A(), method with that domain credentials, hereby internally IADS::Get() uses this credentials. So 4625 event is not thrown in the Event Viewer.

    But why does IADS::Get(), using local account credentials and not the credentials which it is bound to with ADsOpenObject()?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.