Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Multiple 4625 event IDs are logged when a user logs on in Forefront Unified Access Gateway 2010

Multiple 4625 event IDs are logged when a user logs on in Forefront Unified Access Gateway 2010

Symptoms

Consider the following scenario:
  • You have multiple domains inside an Active Directory Domain Services (AD DS) forest to which Microsoft Forefront Unified Access Gateway (UAG) 2010 belongs.
  • You have users in a child domain of the forest.
  • You have Service Pack 3 for Forefront Unified Access Gateway 2010 or Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 3 installed.
  • The Account Domain field in the 4625 event displays the distinguished name (DN) of the parent domain.
  • You have users authenticating to Forefront UAG.

In this scenario, you may notice an increase in the number of failed logon tries in the Security event logs on the domain controllers. A user logging on to Forefront UAG may generate multiple 4625 events every time that they log on. This problem occurs when Forefront UAG tries to look up the groups from multiple sub-domains. The logged events do not affect the user logging on.
The 4625 events
The 4625 events may resemble the following:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: datetime
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: dc1.contoso.com
Description:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: UAG01$
Account Domain: CONTOSO
Logon ID: 0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: username
Account Domain: DC=contoso,DC=com
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID:
Caller Process Name: -
Network Information:
Workstation Name: UAG01
Source Network Address: 192.168.0.1
Source Port: 12345

↑ Back to the top

Cause

This problem occurs because multiple events are logged every time that a user logs on to Forefront UAG. In this case, enumeration of the groups in which the user is a member in other sub-domains is tried. These lookups may result in an incorrect query that triggers the failed logon events. 

↑ Back to the top

Resolution

To resolve this problem, install Service Pack 4  for Microsoft Forefront Unified Access Gateway 2010, and then follow the steps in the "More Information" section.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

To prevent Forefront UAG from enumerating groups on sub-domains, follow these steps:
  1. Create the following registry value:

    Registry subkey location: HKEY_LOCAL_MACHINE\Software\WhaleCom\e-Gap\von\UserMgr
    DWORD name: DoNotFetchSubdomainUserGroups
    DWORD Value: 1

  2. Apply Service Pack 4 for Forefront Unified Access Gateway 2010.
  3. Start the Microsoft Forefront UAG Management console, and then click Activate to apply the changes to your configuration.
  4. In the lower message pane, wait for the following informational message:

    Activation completed successfully.

    Note     By default, informational messages are not enabled or displayed. To enable the informational messages, follow these steps:
    1. In the Forefront UAG Management console, on the Messages menu, click Filter Messages.
    2. On the Messages Filter dialog box, in the Message Window area, click to select the Information messages check box, and then click OK.


Note Setting this registry subkey has no functional effect on the logon process and prevents the failed logon tries from being raised.

↑ Back to the top

References

See the terminology Microsoft uses to describe software updates.

↑ Back to the top

Keywords: kbnotautohotfix, kbqfe, kbfix, kbexpertiseinter, kbsurveynew, kbbug, kb

↑ Back to the top

Article Info
Article ID : 2910413
Revision : 1
Created on : 1/7/2017
Published on : 11/27/2013
Exists online : False
Views : 207