How to fix 4625: An account failed to log on on Windows Azure VMs

You have probably seen the error below while scanning your Event Viewer in Windows Azure VMs:

An account failed to log on.

Subject:
   Security ID:  NULL SID
   Account Name:  –
   Account Domain:  –
   Logon ID:  0x0
Logon Type:  3
Account For Which Logon Failed:
   Security ID:  NULL SID
   Account Name:  asdf
   Account Domain: 
Failure Information:
   Failure Reason:  Unknown user name or bad password.
   Status:   0xc000006d
   Sub Status:  0xc0000064
Process Information:
   Caller Process ID: 0x0
   Caller Process Name: –
Network Information:
   Workstation Name: WIN-R9H529RIO4Y
   Source Network Address: 10.42.42.201
   Source Port:  53176
Detailed Authentication Information:
      Logon Process:  NtLmSsp
   Authentication Package: NTLM
   Transited Services: –
   Package Name (NTLM only): –
   Key Length:  0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

  • Transited services indicate which intermediate services have participated in this logon request.
  • Package name indicates which sub-protocol was used among the NTLM protocols
  • Key length indicates the length of the generated session key. This will be 0 if no session key was requested

Account For Which Logon Failed:

This identifies the user that attempted to logon and failed.

  • Security ID:  The SID of the account that attempted to logon. This blank or NULL SID if a valid account was not identified – such as where the username specified does not correspond to a valid account logon name.
  • Account Name: The account logon name specified in the logon attempt.
  • Account Domain: The domain or – in the case of local accounts – computer name.

Failure Information:

The section explains why the logon failed.

  • Failure Reason: textual explanation of logon failure.
  • Status and Sub Status: Hexadecimal codes explaining the logon failure reason. Sometimes Sub Status is filled in and sometimes not. Below are the codes we have observed.
Status and Sub Status Codes Description (not checked against “Failure Reason:”) 
0xC0000064 user name does not exist
0xC000006A user name is correct but the password is wrong
0xC0000234 user is currently locked out
0xC0000072 account is currently disabled
0xC000006F user tried to logon outside his day of week or time of day restrictions
0xC0000070 workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller)
0xC0000193 account expiration
0xC0000071 expired password
0xC0000133 clocks between DC and other computer too far out of sync
0xC0000224 user is required to change password at next logon
0xC0000225 evidently a bug in Windows and not a risk
0xc000015b The user has not been granted the requested logon type (aka logon right) at this machine

You can’t actually see any additional information about the IP of the person who is trying to get in, any info about the user that will help you block him so what you need to do is block incoming NTLM traffic to your machine.

denytraffic

  1. On the domain controller, use the Group Policy Management Console (GPMC) to open the Group Policy Restrict NTLM: NTLM authentication in this domain located under the Computer Configuration/Security Settings/Security Options node.

    This policy setting allows you to deny or allow NTLM authentication within this domain. This policy does not affect interactive logon to this domain controller.

  2. Select one of the following options that are supported by your assessment:
    • Allow domain logon-related NTLM and NTLM traffic to servers in this domain

      The domain controller will allow all NTLM pass-through authentication requests within the domain. This is the behavior if this policy is not configured.

    • Allow domain logon-related NTLM traffic or NTLM traffic to servers in this domain

      The domain controller will deny all NTLM authentication logon attempts to all servers in the domain that are using domain accounts and display an NTLM blocked error unless the server name is on the exception list in the Network Security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain policy setting.

    • Deny domain logon-related NTLM traffic in this domain

      The domain controller will deny all NTLM authentication logon attempts from domain accounts and display an NTLM blocked error unless the server name is on the exception list in the Network Security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain policy setting.

    • Deny NTLM traffic to servers in this domain

      The domain controller will deny NTLM authentication requests to all servers in the domain and display an NTLM blocked error unless the server name is on the exception list in the Network Security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain policy setting.

    • Deny NTLM traffic in this domain

      The domain controller will deny all NTLM pass-through authentication requests from its servers and for its accounts and display an NTLM blocked error unless the server name is on the exception list in the Network Security: Restrict NTLM: Add server exceptions for NTLM authentication in this domain policy setting.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s