Share via

How to find out which account attempted to logon when event ID 40970 and error 0xc000006d is generated in event viewer?

Anonymous
2023-12-01T05:49:14+00:00

Event ID: 40970

Administrative Events

The Security System has detected a downgrade attempt when contacting the 3-part SPN

LDAP/XY-RoDC.abc.example.com/******@ABC.EXAMPLE.COM with error code "The attempted logon is invalid.

This is either due to a bad username or authentication information. (0xc000006d)". Authentication was denied.

Windows Server Identity and access Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-12-04T02:40:36+00:00

    Hi jackin:

    To find out which account attempted to logon when event ID 40970 and error 0xc000006d is generated in event viewer, you can check the Security event log on the domain controller where the event occurred. Look for event ID 4625, which will provide information about the failed logon attempt, including the account name and the source IP address. You can use this information to investigate further and determine the cause of the failed logon attempt.

    Here is a link to the documentation on event id 4625:4625(F) (Windows 10) - Windows security | Microsoft Learn

    Kind regards,

    Qiuyang

    0 comments
  2. Anonymous
    2023-12-05T21:56:24+00:00

    Gonna try this and update you. Thanks!

    0 comments
  3. Anonymous
    2023-12-05T23:01:22+00:00

    PS C:\Windows\system32> get-aduser someUsername -properties * | select lastbadpasswordattempt

    lastbadpasswordattempt

    12/5/2023 4:35:26 PM

    Checked logs in event viewer on XY-RoDC> security logs around this time.

    Looked for event ID 4625 no log event ID 4625 showed up for 12/5/2023 4:35:26 PM

    So I found no related event ID 4625 in security logs which corelates with last bad password attempt and when account locked. I did find event ID 4740, which is telling about account locked, why it locked I don't know.

    0 comments
  4. Anonymous
    2023-12-06T02:52:24+00:00

    Hi jackin:

    Based on the information you provided, it seems that the account was locked due to too many failed login attempts. The event ID 4740 indicates that the account was locked. However, without further information, it is difficult to determine why the account was locked. It is possible that the user exceeded the maximum number of allowed login attempts or that there was a security policy in place that triggered the lockout.

    Kind regards,

    Qiuyang

    0 comments