Why Do I Have Incomplete Information on Failed Logons?

Situation

In Search Results or Reports there is no information in What (the destination point of a login) field.

Explanation

Netwrix Auditor Logon Activity uses native Windows tools to collect data. It uses Event log events to do so. Windows uses different types of events for failed logons on Workstations and Domain Controllers.

Within a Domain, all the logons go through a Domain Controller using KERBEROS ticketing system for Authentication. When logon on a Workstation fails, three events will be created: 4768, 4769, 4771. The first two are the informational events registering the request of KERBEROS authentication, the third one (4771) is the event that contains all the information about the authentication requester.

The problem here is that as a result of a failed logon, the request doesn't go past KERBEROS pre-authentication and therefore does not contain the information about the destination point of a logon request; consequently, the 4771 event does not contain such information and, as we rely only on native tools to gather information, we can't populate the What field of a failed logon.

When logon on a Domain Controller fails, the process is simpler as it is considered a failed local logon attempt (event 4625 will appear) and the data for the destination point will be present.

If you would like to have information on how to investigate Failed Logons, check out these articles:

• Investigating Failed Logons
• How to detect the root cause of multiple failed logons
• How to Find Destination of Failed NTLM Logons?