New HP workstations connected to Windows server 2016 essentials giving login failure error4625

Question

New HP workstations connected to Windows server 2016 essentials giving login failure error4625

Jamshid Javidi 106

Hello,

I have noticed that when I connect Brand new workstations to Windows server 2016 essentials, I am getting login failure 4625 in the security of event viewer. When I turn them off the errors stop. This happens on different brand new HP workstation and the server is HP Proliant server Gen 9. Here is the error. I have researched the error and I thought it was the server, but it is the workstation. and it is New HP Workstation Windows 11 pro, connected to the domain controller. i do not get any IP or additional information such as user name. But some kind of issues with the new HP workstation services or apps that is causing this issue. I appreciate your help.

An account failed to log on.

Subject:

Security ID:		SYSTEM

Account Name:		SCHORBRSVR$

Account Domain:		SCHBT12

Logon ID:		0x3E7

Logon Type: 3

Account For Which Logon Failed:

Security ID:		NULL SID

Account Name:		

Account Domain:

Failure Information:

Failure Reason:		Unknown user name or bad password.

Status:			0xC000006D

Sub Status:		0xC0000064

Process Information:

Caller Process ID:	0x37c

Caller Process Name:	C:\Windows\System32\lsass.exe

Network Information:

Workstation Name:	SCHORBRSVR

Source Network Address:	-

Source Port:		-

Detailed Authentication Information:

Logon Process:		Schannel

Authentication Package:	Kerberos

Transited Services:	-

Package Name (NTLM only):	-

Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

1 answer

Your answer

Answer 1

Chen Tran 1,190 Independent Advisor

Hello,

Thank you for posting question on Microsoft Windows forum!

Based on your query of encountering Event ID 4625 (failed logon attempt) on Windows Server 2016 . The key point is that it stops when you turn off the new Windows 11 HP workstations. This strongly points to an issue originating from the workstations, even though the error appears on the server. You can try the following potential troubleshooting steps.

1.Isolate the Workstation:

As You have already observed that turning them off stops the errors. This confirms the workstation as the source.
When the workstation is ON, try to identify which one is generating the errors. You might need to check the exact timestamps of the errors on the server and try to correlate them with activity on individual workstations.

2.Test with a Different User Account:

If possible, try logging in with a different domain account to determine if the issue is account-specific.

3.Check Domain Trust Relationships:

Ensure the workstation is properly joined to the domain and that trust relationships between the domain controller and the workstation are intact.

4.Verify Secure Channel Integrity:

To confirm the workstation’s secure channel with the domain by running this command

nltest /sc_verify:<domain name>

Or using the Powershell command. Test-ComputerSecureChannel -Verbose

5.Verify Domain Controller Connectivity:

To confirm the workstation is communicating with the correct domain controller by running the command. nltest /dsgetdc:<domain name>

6.Time Synchronization:

Verify that the time on the Windows 11 workstations is synchronized with your domain controller.
Running the command w32tm /query /status in an elevated command prompt on the workstation will show you the time source.
Running the command w32tm /resync to force a resync. In case time significant differences between workstation and DC can cause Kerberos issues.

You can refer to the following articles for further reference regarding the issue of Event ID 4625.

Hope the above information is helpful!

Jamshid Javidi 106 Reputation points

2025-05-30T18:53:18.5933333+00:00

HI Chen,

Thank you for assisting me. Here is the situation. I have noticed this issue is with HP Workstations and I have used the http:\servername\connect command to join the workstations to the server 2016 essentials. The error occurs from each of the workstations that have different users. The common denominator is the are all HP Workstations, Windows 11, and have the connect command. everything works except, I am getting the login failure on the server. Is it it an issue with the command connect? Should I remove it? in the login failure event there are no mention of the IP or users or anything that gives me more information.

I appreciate your help.

Jamshid
Chen Tran 1,190 Reputation points Independent Advisor

2025-05-31T06:34:52.5866667+00:00
Hi Jamshid,

Based on your latest provided information of using the command http:\servername\connect command to join the workstations to the server 2016 essentials. I do not know whether you have performed the domain join traditional method like below steps to join the HP workstations to the Windows Server 2016.

Open Settings > System > About.

Click Advanced system settings.

Go to the Computer Name tab and click Change.

Select Domain, enter your domain name, and click OK.

Enter administrator credentials when prompted.

Restart the workstation.

If not, you can give it a shot for proper domain join between the workstations and DC.
Jamshid Javidi 106 Reputation points

2025-05-31T18:31:50.14+00:00

Hi Chan,

thank you for your response. because this is a Windows server essentials the proper way to join the domain was to usee http://server\command so it can show up in the Windows server 2016 essential dashboard. everything works o.k., There is an agent is installled. I can uninstall it but not sure the consequences.

I have not been able to solve and I believe there is no security issues. I have checked with the Antivrus support. the event viewer is not showing any users, or IP or any additional information. HOw can I solve this issue?

I appreciate your help.

Jamshid
Jamshid Javidi 106 Reputation points

2025-06-02T17:26:10.66+00:00

Hello Chan,

i hope you had a great weekend! I have noticed this issue on more than one server. So the issue is not account or server specific. I have used the severname\connect command because that is how we told to join a computer to the Windows server 2016 essential and so it will show up in the dashboard of the Windows server 2016 essential. There are no IP or user name in the event viewer for the this error. How can I narrow it down to find the cause of this issue. I know it happens only on HP workstations, Windows 11 pro, connected to Windows server 2016 essential. I appreciate your help.

Jamshid

Chen Tran 1,190 Independent Advisor

Hi Jamshid,

Thanks for providing extra information regarding the Event ID 4625! 

May I know if you have encountered any account locked out issue due to the Event ID 4625? 

On Windows Server 2016 (is this your domain controller and does it also play the role of PDC in your environment?). Open event viewer to navigate to security log to search for the Event ID 4740 for any potential locked out event. Otherwise, you can refer to the below article for more information regarding the Event ID 4625 and 4740.

https://4sysops.com/archives/find-the-source-of-account-lockouts-in-ad/ I also found the following article which presumably addresses your concern of the Event ID 4625.
https://learn.microsoft.com/en-us/troubleshoot/windows-client/system-management-components/failed-logon-event-when-running-remote-wmi?source=recommendations

Jamshid Javidi 106 Reputation points

2025-06-03T15:40:03.2733333+00:00

HI Chan,

thank you for your help. Yes the issue is from 4625 event viewer in Windows Security. The server is a on prem server and it is PDC. i searched for error 4740 and there was none in security, system and applications. Let me know if you need anything else.

Thanks again,

Jamshid
Jamshid Javidi 106 Reputation points

2025-06-06T18:45:51.03+00:00

Hi Chan,

I hope all is well! do you have any updates for me?

I appreciate your help.

Jamshid

Share via

New HP workstations connected to Windows server 2016 essentials giving login failure error4625

1 answer

Your answer