In this guide, we will highlight some of the possible causes that can cause logon failure with Event ID in Windows Server 2008 r2, and then suggest possible solutions that you can use to try to resolve the issue.
This can be a useful event as it records and documents every failed login attempt to the local computer, regardless of login type, user location, or account design.
Fortect is the world's most popular and effective PC repair tool. It is trusted by millions of people to keep their systems running fast, smooth, and error-free. With its simple user interface and powerful scanning engine, Fortect quickly finds and fixes a broad range of Windows problems - from system instability and security issues to memory management and performance bottlenecks.
1. Download Fortect and install it on your computer
2. Launch the program and click "Scan"
3. Click "Repair" to fix any issues that are found
Identifies the provider that requested the connection, NOT the specific user who just tried to connect. The topic is usually zero or one of my maintenance principals and generally useless ideas. See “New Connection” for those who have just dived into the system.
Security ID
Account name
Account domain
Username
Registration
Registration Type:
This is amazing information because it tells shoppers HOW the user just signed in: For a table of login type codes, see 4624 .
Account On Connection Failure:
This indicates a user who tried to login and / or failed.
SID: SID accountingthe first entry for which the connection was established. This is an empty field or NULL-SID if a valid account was not taken into account – for example, if the specified username absolutely does not match the valid login of the account.
Account name: The account name specified when trying to connect.
Account domain: domain or, if added to local accounts, computer name.
Error Information:
The message explains why the connection could not be established.
Cause of error: Explanation of the text in case of connection failure.
Status and Substatus: Hexadecimal codes explaining registration as the reason for the vehicle. Sometimes the substatus is filled in last, sometimes not. Below are the discounts we saw.
Status also status subcodes
Description (not marked “error reason:”)
0xC0000064
Username does not exist
0xC000006A
Full nameusername is correct, but the password is incorrect
0xC0000234
The user can be described as currently blocked
0xC00000072
Account is currently deactivated
0xC000006F
A user tried to log in outside of the boy’s day of week or time of day restrictions
0xC0000070
Downsizing or violation of sandboxed authentication policy (matches event ID 4820 on a domain controller)
0xC0000193
Account Expiration
0xC00000071
Password expired
0xC0000133
Too high synchronization of clocks between DC and other electronic computers
0xC0000224
User must change password at next login
0xC0000225
obviously a bug in windows without risk
0xc000015b
The user did not receive most of the requested logins (also known as logon privileges) through this computer
Process Information:
Calling Process ID: The process ID that was listed as logged in 4688 when the executable was run.
Caller Process Name: Typically identifies the program executable that handled the connection. This is one of the trusted login elements named 4611 .
Network Information:
This section knows where the user was when registering. If the connection is started from the same computer, this information will of course be either blank or will reflect the respective local computers.
Workplace name: the name of the computer, in particular the user, is physically present in all cases, unless this connection was initiated by a server application acting on behalf of the user. The workstation may also not bepopulated for some Kerberos connections, because in the case of user connections, the Kerberos protocol doesn’t really care if it’s tied to a computer account and therefore doesn’t have a marketplace to carry the workstation name in the request message options>
Source network address: The IP address of the device on which the user is physically present in most cases, except when this connection was caused by a server application acting on the user’s behalf. If this connection can be initiated locally, sometimes the IP address must be 127.0.0.1 instead of the actual local private IP address. Sometimes this field is definitely blank because Microsoft says, “No, and the code path in Windows Server 2003 might be.” instrumented for the IP address, so it doesn’t always populate. “
Source Port: Identifies the source TCP port connected to an account that has since seemed unnecessary to request as the source ports for most protocols were random.
Detailsabout Authentication:
Registration procedure: (see 4611 )
Authentication package: (see 4610 or 4622 )
Successful Services: This is for servers where applications need to accept a different type of validation from the client and then pass Kerberos to the client components to access other resources. See http://msdn.microsoft.com/msdnmag/issues/03/04/SecurityBriefs/
Package name: If this login was authenticated through the NTLM project (for example, instead of Kerberos), this field specifies which version of NTLM will be used. For security, see Network Security: LAN Manager Authentication Level
Key length: The length of the key that protects the “secure channel”. See Security section “Domain Member Setting: Optimal Session Key Required (Windows 2000 or Higher)”. If the value is 0, the “Domain Member: Digitally Encrypt Street Protected Data (If Possible)” security setting will not work.
