This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 37%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJJ%3C/text%3E%3C/svg%3E)
within the last week I am getting error 4625 on my Windows Security event viewer log. This is a on premise server not a VM, 4 workstations joined to the Domain. Here is the information from the event viewer. please let me know what else do you need to give me resolution.
Thanks,
Jamshid
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: MLFSERVER$
Account Domain: ABCDMLF
Logon ID: 0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x38c
Caller Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: MLFSERVER
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Schannel
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Thank you for your response. This issue occured about a week ago. i have 5 workstations in the network and a copier scanner. nothing has been added. Can you give more details how to find the culprit. I appreciate your help.
Thanks,
Jamshid
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello Jamshid Javidi,
Thank you for posting in Q&A forum.
Do you see only one entry of event ID 4625 on Windows server 2016? If so, it seems one account (it is blank below) logs on machine named MLFSERVER$ in the domain named ABCDMLF via Network logon (Logon Type: 3), but using Unknown user name or bad password.
You can try to check information below on machine named MLFSERVER$
•Check the credential management to see if there are cached user’s old credentials.
•Check if you have used the wrong password to mount the network disk
•Check whether the user has used the wrong password to start services, run scheduled tasks, etc. •Check if there are other third-party programs that cache the user’s wrong password.
•Manually entering the wrong credentials when did something, such as logon or access network shared folder.
References:
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Helo Daisy,
Thank you for your response. The errors are all identical.4625 on the server. I do not get logon failure on the workstations. I have five exisiting workstations. And one server. on each workstation there is a program that uses the a SQL based program, installed on the server. Are you saying that there is a program or service on the server that is trying to login and causes this failure? How do i find it? I have ran antiviurs and antimalware and I do not see any issues. What can I provide you that you can assist me better?
I appreciate your help.
Jamshid
Hi Daisy,Thank yo for assisting me. The errors are all identical.4625 on the server. I do not get logon failure on the workstations. I have five exisiting workstations. And one server. on each workstation there is a program that uses the a SQL. The main program is installed on the server and the agents are installed in the workstations. Nothing new has been added. I have looked at all the services that are running. I do not see any anomally. What exactly do i look for? I have looked at the credential manger. I do not see anything .everything is working correctly. I am only getting the error messages on my RMM dashboard.
Let me know if you need any logs or anything else. I appreciate your help.
Jamshid
Hello
Good day!
Are all these machines (five existing workstations and one server) in domain or workgroup?
Are you saying that there is a program or service on the server that is trying to login and causes this failure?
A: there is an account (maybe a service account or a user account) to access the server below via Network logon. You need to find such one account (or maybe multiple accounts).
Account Name: MLFSERVER$ Account Domain: ABCDMLF
Please check if you can see Event IDs 4624 or Event IDs 4634 or Event IDs 4776 (NTLM authentication) or Event IDs 4771 (domain Kerberos authentication) via Security log on the server.
Compare the 4625 events with others in your security log—for example, Event IDs 4624 (successful logon) or 4634 (logoff) events. Even if the failed login doesn’t list the target account, related events may show subsequent successful logons or account lockouts that hint at which account was being targeted.
If you do not see Event IDs 4776 (NTLM authentication) or Event IDs 4771 (domain Kerberos authentication), you can try to configure audit policy below:
Legacy audit policy:
Computer Configuration\Windows settings\security settings\local policies\audit policy
Audit Account Logon Events – Failure and success
Or use advanced audit policies (advanced audit policies will overwrite all legacy audit policies by default):
Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration\Account Logon:
Audit Kerberos Authentication Service - Failure and success
Audit Credential Validation – Failure and success
Please Note:
1.Once you configured any one advanced audit policies, then all legacy audit policies will be overwritten by default.
2.If you have never configured any advanced audit policy before, then you can configure the legacy audit policy.
3.If you have configured any advanced audit policy before, then you need to configure the advanced audit policy.
Best Regards,
Daisy Zhou
Hi Daisy,
yes. they are all part of the domain. I looked at the services. I only see some that in the login they have empty field for the account. What does that mean if in the services login the field for the account? Could they be the cause? Can i remove them and add them? nothing for events 4776 (NTLM authentication) or Event IDs 4771 (domain Kerberos authentication). To be honest I do not feel comfortable to change the audit policies in case I mess up something? Any other way I can find out the cause?
I appreciate your help.
Jamshid