We have a couple of workstations (of many) on a domain which are generating Windows logon errors 4625 Type 3 at a workstation "fileserver". I've not been able to find a cause - so they persist.
Our SIEM system is reporting them.
I've made traffic captures with wireshark between the client and the server but don't see anything very helpful.
The usernames (such as would be cached in Windows credentials) that are failing are no longer in use and hark back to a time when these workstations were on a peer-to-peer network and Wikndows Credentials *were* in use.
I saw: https://www.experts-exchange.com/questions/29168030/Failed-Logons-hammering-Workgroup-file-server-Win-10.html
The thing is, the possible usernames are now domain users and have replaced the local usernames that had been in use earlier.
We have removed all instances of Windows Credentials that had been in use during domain transition.
(The fileserver workstation is in the last subnet to be brought into the domain).
There are lots of examples where this isn't a problem. There are quite a few workstation fileservers and over 50 workstations. The one fileserver affected is the most accessible by number of users.