Forum Discussion
RDP authentication failures not reflected in security log?
This is actually by design.
You see, when you attempt to logon to an RDP session, the security provider behind the logon process called CredSSP decides whether to employ Kerberos or NTLM to verify your identity to the remote computer.
If Kerberos is available for which you need direct line of sight towards the Domain Controller, CredSSP attempts to verify your credential with the Domain Controller. If the password provided is wrong, the Domain Controller logs an Event ID 4771 - Kerberos PreAuthentication Failed.
If Kerberos is not avaialble, CredSSP falls back to NTLM and attempts to verify your credential directly with the remote computer which in turn relays the credential verification to the Domain Controller. If, in this case, the password provided is wrong, the remote computer logs an Event ID 4625 - Logon Failed and the Domain Controller logs an Event ID 4776 - Credential Validation Failed.
Cheers,
Vojtech
Fair enough. That doesn't make a lot of sense to me as the two event IDs are for very different purposes, but if that's what you're seeing, there's not much else I can say.
Event IDs are very-well defined. I've dropped the references for both below.
If you run the following as an administrator on the server/client into which you're RDP-ing, it will tell you how auditing is currently set (directly, meaning GPO would override it, but you say there is no GPO) on the Logon category, and if so, whether it's for successes and/or failures only, neither or both:
auditpol /get /subcategory:"Logon"
Example output showing both auditing types are set:
Reference articles:
- 4624(S) An account was successfully logged on. (Windows 10) - Windows security | Microsoft Docs
- Audit Logon (Windows 10) - Windows security | Microsoft Docs
- 4776(S, F) The computer attempted to validate the credentials for an account. (Windows 10) - Windows security | Microsoft Docs
Cheers,
Lain
This is actually by design.
You see, when you attempt to logon to an RDP session, the security provider behind the logon process called CredSSP decides whether to employ Kerberos or NTLM to verify your identity to the remote computer.
If Kerberos is available for which you need direct line of sight towards the Domain Controller, CredSSP attempts to verify your credential with the Domain Controller. If the password provided is wrong, the Domain Controller logs an Event ID 4771 - Kerberos PreAuthentication Failed.
If Kerberos is not avaialble, CredSSP falls back to NTLM and attempts to verify your credential directly with the remote computer which in turn relays the credential verification to the Domain Controller. If, in this case, the password provided is wrong, the remote computer logs an Event ID 4625 - Logon Failed and the Domain Controller logs an Event ID 4776 - Credential Validation Failed.
Cheers,
Vojtech