Event Viewer – Can’t Find Failed Authentication in Windows

active-directoryeventviewerwindows-event-log

I'm trying to gather failed login/authentication events from DC's on a 2016 Domain.

I can see 4625 Audit Failure events in the Security Logs on the Domain Controllers when a user fails to login at the log on screen.

When I try to run an application as another user and fail to login correctly I see the 4025 on the local (desktop) event log, but I can't find a corresponding event on any DC.

I've looked, but possibly missed!, for other event types/logs at the same time but can't see anything that seems to correspond to the activity.

Can someone point me to how I collect this information centrally (from DCs)?

Best Answer

When a user failed to login on a workstation or a server using domain credentials, this will usually triggers 2 type of events:

source device (where user is connected): will usually report ID 4625 and/or 4776
domain controller: will not report any event ID 4625 related to this tentative of login. Instead, it will report Kerberos events with ID 4771 or 4768 related to TGT tickets. ID 4776 may also be reported depending on the authentication protocol used (NTLM or Kerberos). However, note that if you failed to login on a domain controller, both ID 4625 and related Kerberos IDs will be reported on the same device, as source and destination are the same.

So in order to see your failed tentative on your DCs, enable success and failed Kerberos auditing capacities on your DCs using a GPO. Some help can be found here. Then I can suggest you to setup a Windows Event Collector server (source) to centralize all your events before forwarding it to your SIEM (ELK, Splunk, ArcSight, ...).

Best Answer

Related Solutions

Can Windows logoff events be tracked

Active Directory Audit – How to Enable Audit Failure Logs in Active Directory

Related Topic