How to see security logs (4625) of RDP DNS connection on windows server 2022

Question

Hello,

I have a problem on my Windows Server 2022 (20348.1970). i use RDP service to give access for users to some application.

GPO is activated on this server. In this GPO, i have activated Audit for remote connection (Success and Failed). It's working well, when i'm testing a connection.

I see the username and ip address of the user.

So if i success a connection(4624) i can see it in my logs.

But there is a big trouble ! I cannot see FAILED connection (4625) in my logs.

I found something very strange. I can see success (4624) and failed (4625) connection in my logs when i enter the ip address of my server into the Remote Desktop Protocol.

But when i try to connect with DNS, so by name of the server (such as "myserver.domaine.com") it work perfectly, i can connect to my server, and i can see success (4624) connection on security logs.

MY PROBLEM : I cannot see FAILED connection (4625) when i'm connecting RDP with DNS (name of my server). (I try a intentional failed connection for test).

Why can i see success (4624) but not (4625) security log when i try to connect with RDP (DNS and not IP address).

NOTE : MY DNS is correct, there is no problem (nslookup is ok, ping is ok --> DNS) I did Flushdns and a lot of thing but it's not working.

It is a current problem on Windows 2022 Servers ?

I would like to have help on this situation please. Thank you.

Answer 1

Hello  Hugo_850

If you can see both success (4624) and fail (4625) logs when using the IP address for RDP connections but only see success logs (4624) when using the hostname, despite correct DNS settings, it's indeed an unusual issue.

You might check if the missing log exist in the appropriate folder. Event log files are typically located in the %SystemRoot%\System32\winevt\Logs directory.

Best regards,

Karlie Weng

Answer 2

Hello,

Thanks for your answer. I can see all my logs in this repository : %SystemRoot%\System32\winevt\Logs.

I have the logs of "TerminalServices-RemoteConnectionManager" and inside i can see that i have connection into my server.

When i try to connect with failed password to RDP with DNS (servername.mydomaine.com), i cannot see the (4625) failed connection in logs.

But when i'm doing this connection i've got :

• Event ID = 261 and it's say that i received a RDP-TCP connection but it not give much more informations.
• I have User = Network service, Computer = server.mydomain.com, and in Detail menu --> ListenerName = RDP-TCP.

I've got some news :

I saw something in my logs when using connection RDP user to server.

When i try to connect to my server using Remote Desktop Protocol :

Detail of the connection :

• Server : myserver.mydomain.com
• user : mydomain\myusername --> username which exist

But when i have to enter a password, i put a wrong password for test to get the 4625 event in my logs.

So in this situation i don't have 4625 event log.

But when i try this :

• Server : myserver.mydomain.com
• user : mydomain\myusername --> username which doesn't exist

So in this situation, i have event 4625 in my log --> Security.

There is a problem with my Domain, i'm not able to see connection RDP while a user try to connect to my server using DNS.

• Server : myserveripaddress
• user : mydomain\myusername --> username which doesn't exist | username wich exist

I have event 4625 in my logs. All work good using my IP address.

Best Regards

Hugo

Answer 3

Hi

I recommend focusing on the authentication and security policy settings, as well as any custom configurations that might be influencing this behavior.

You might also check RD Gateway and NLA settings, as these two settings are also related to authentication. The issue might be related to a combination of factors in your specific environment.

Karlie

Answer 4

If Kerberos is available for which you need direct line of sight towards the Domain Controller, CredSSP attempts to verify your credential with the Domain Controller. If the password provided is wrong, the Domain Controller logs an Event ID 4771 - Kerberos PreAuthentication Failed.