Hi, I've been seeing this event for the last few weeks and have not been able to track down the cause.
This is a Server 2012 Standard VM running on hyperv. The source network IP address in the below log is this servers IPv6 IP address. I am not doing anything in particular with IPv6 in the network, if it is turned on for any product it is that way by default. This particular server is running the full suite of RDP services such as gateway, broker, license, web, as well as rdapp, it is not a DC. I get a couple thousand of these a day. I'd unbind IPv6 but have read that Microsoft doesn't advise doing that. This also seems to happen quite a bit during extreme off times such as 1am when no users are on site. The only internet facing aspect of this server is the RD Web Access portal. I'm happy to provide any further information if that helps diagnose where this is coming from.
Thanks for the help,
Joe
Log Name: SecuritySource: Microsoft-Windows-Security-Auditing
Date: 5/14/2014 6:19:01 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: server.mybox.local
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain:-
Logon ID: 0x0
Logon Type:3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: server
Account Domain:mybox.local
Failure Information:
Failure Reason:Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID:0x0
Caller Process Name:-
Network Information:
Workstation Name:server
Source Network Address:fe80::844a:eefb:bfe1:8383
Source Port: 54612
Detailed Authentication Information:
Logon Process:NtLmSsp
Authentication Package:NTLM
Transited Services:-
Package Name (NTLM only):-
Key Length: 0
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2014-05-13T20:19:01.141518600Z" />
<EventRecordID>3041821</EventRecordID>
<Correlation />
<Execution ProcessID="716" ThreadID="7060" />
<Channel>Security</Channel>
<Computer>server.mybox.local</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">server</Data>
<Data Name="TargetDomainName">mybox</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc0000064</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">NtLmSsp </Data>
<Data Name="AuthenticationPackageName">NTLM</Data>
<Data Name="WorkstationName">server</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0</Data>
<Data Name="ProcessName">-</Data>
<Data Name="IpAddress">fe80::844a:eefb:bfe1:8383</Data>
<Data Name="IpPort">54612</Data>
</EventData>
</Event>