Windows Server 2019 not recording failed logins (Event 4625)

Question

Hello all,

I am using Windows Server 2019 on DCs and workstations. Event viewer is not recording RDP failed logins but I can see the successful logon. I made few changes to see the failed RDP logins;

Workstation and DCs

Audit credentials validation  > failure

Audit logon > success and failure

Only DCs

Audit Kerberos Authentication Service > failure

Audit Kerberos Service Ticket Operations> failure

Now, I can see the error 4771-Audit Failure on just DC but there are no details about which workstation is getting failed login attempt.

Answer 1

Hi Burce Matute Gunes,

Thank you for posting in the Microsoft Community Forums.

The level of log detail in Windows' Event Viewer may not be set to display the full logon failure message. You can try changing the properties of the event log to capture more detailed information.

In the Event Viewer, you may need to filter or view specific security logs to find detailed information about failed login attempts. Typically, failed logon events can be found under Windows Logs > Security.

If the logs on the DC do not provide enough information, you may need to check the logs on the workstation where the logon attempt was made. The local security log on the workstation may contain more detailed information about the failed logon attempt.

The Windows audit policy determines which events are logged. If the audit policy is not properly configured, then important failed logon events may not be logged. You can check and adjust the local security policy for your domain or workstation to ensure that all relevant failed logon events are logged.

Best regards

Neuvi Jiang

Answer 2

Hi Neuvi,

As I described, following are the changes that I changed for testing purposes on group policy management but I still can not see any failed login attempts through RDP;

Workstation and DCs

Audit credentials validation  > failure

Audit logon > success and failure

Only DCs

Audit Kerberos Authentication Service > failure

Audit Kerberos Service Ticket Operations> failure

I did review both workstation and DC event logs after each test but no luck so far.

Answer 3

Hi Burce Matute Gunes,

Have a nice day!

For example, Device A wants to log on to Domain B. The login fails.

So far it is still not possible to log in, then check the logs on the local device A.

If the login has now succeeded, view the logs on Domain B's domain control.

Best regards

Neuvi Jiang

Answer 4

And when Device A fails to login 10 times where does Domain B record the failed logins?

I don't need to fix device A I need to know when failed logins have occurred and which device the failure occurred from. If Device A is one of a thousand devices, how do I find the device that is having failures?

Answer 5

I'm also having same issue. For whatever reason our controllers will not generate event 4625. However, when enabling above mentioned events (mainly event 4776), source workstation is left blank. Any reason as to why this could happen?