20,223 questions
Failed logon Type-3 Event log 4625 Track source IP from Proxy authentication IP ::1
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 38%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECG%3C/text%3E%3C/svg%3E)
Craig Garland
336
Reputation points
Hi
I am getting event log 4625 after changing a password.
I know its a system with cache logon information but I cannot track it down. The logon events are for servers in a trusted domain so the failures always point back to one of the Domain controllers.
The event on the DC is the local loop back ::1. See info below. Note Ticket 0X408 looks to be for a proxy authentication.
ServiceName krbtgt/turk_dom
TicketOptions 0x40810010
Status 0x18
PreAuthType 2
IpAddress ::1
IpPort 0
I have looks through event logs on both these machine around the time of the failed logon but still cannot find the source ip.
I am hoping someone knows how to track back the source IP for a proxy Authentication.
Please let me know if you have something for me to try?
Thanks
Craig
Windows for business | Windows Server | User experience | Other
Sign in to answer