Domain server error, event 4625

dreamer123456 used Ask the Experts™
I just started working on this network. I see the error below few times an hour on domain server. The IP below 192.168.0.xx is ip of domain server.

Any help will be appreciated.

An account failed to log on.

      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            administrator
      Account Domain:            DOMAIN

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xC000006D
      Sub Status:            0xC000006A

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      NEXPOSE
      Source Network Address:      192.168.0.xx
      Source Port:            49752

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
More than likely the workstation (listed in Workstation Name: NEXPOSE) is doing a pass through authentication on an account named administrator.  An example of what could be happening would be user on another system is attempt to access a share on NEXPOSE using the administrator credential.  Kerberos authentication fails so NEXPOSE attempts to validate using NTLM.  It sends a request to the domain controller to validate the user (administrator).  The domain  also has an administrator account and the passwords don't match.

This can also happen if you are using a script to access machines using the local administrator account for the credential.  If the target workstaion is in the domain it will attempt to validate authentication against the domain.  The Domain administrator password is not the same  as that of the local workstation password generating the failed logon attempt

Other potential causes, Service accounts, scheduled tasks and  mapped drives that are using administrator as the credential
Exec Consultant
Distinguished Expert 2018
Actually I am thinking NEXPOSE is actually a scanning machine. The name is product name from a company called Rapid7. The product main feature is to scan remotely other machine for any gaps and it will also attempt account to try to login (e.g. NTLM) etc. Here is a configuration of the product to add in credential and NTLM hash for authentication to the target machine.

 In short, NEXPOSE may be trying to penetrate into the DC system.
- Look for any other logoff failure in the past few days or week if possible.
- Check with your past colleague if such symptom is new.
- Specifically, is such 4625 event common during any security scanning done by the IT or security team.
- Do trace down this machine. Check any domain user using it. See if it is domain (or standalone) machine.
- Check the firewall logs too on the source, and traffic to other internal IP addresses (other machine).
- Check if the machine is going into or from internet.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial