Failed logon Type-3 Event log 4625 Track source IP from Proxy authentication IP ::1

Craig Garland 286 Reputation points
2021-08-30T05:58:49.087+00:00

Hi

I am getting event log 4625 after changing a password.

I know its a system with cache logon information but I cannot track it down. The logon events are for servers in a trusted domain so the failures always point back to one of the Domain controllers.

The event on the DC is the local loop back ::1. See info below. Note Ticket 0X408 looks to be for a proxy authentication.
ServiceName krbtgt/turk_dom
TicketOptions 0x40810010
Status 0x18
PreAuthType 2
IpAddress ::1
IpPort 0

I have looks through event logs on both these machine around the time of the failed logon but still cannot find the source ip.

I am hoping someone knows how to track back the source IP for a proxy Authentication.

Please let me know if you have something for me to try?

Thanks
Craig

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,455 questions
0 comments No comments
{count} votes