|
|
|
Forum Newbie
Group: Forum Members
Last Login: 2/17/2012 1:01:23 PM
Posts: 4,
Visits: 5
|
|
| I am looking to audit failed RDP login attempts on the servers in my domain. When a login fails, I see an event logged in the Security Log on the domain controller (Event ID 4771), but there is no corresponding failure event logged in the Security Log on the server I am trying to RDP to. Shouldn't I see a 4625 event with a LogonType of 10? (Note: Failed interactive logins (Type =2) are being logged correctly for workstation logins, both locally and to the domain, as are workstation unlocks (Type =7).)
Configuration:
- Windows 2008 domain controller (mixed-mode)
- Server trying to RDP to: Windows 2008
- Workstation attempting from: Windows 7
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| No that's normal, here's why. In Kerberos, the client has to first successfully obtain a ticket from the domain controller before the actual logon session at the server is initiated. If Kerberos authentication fails between the client and DC, it never gets the point that the logon fails on the server.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 2/17/2012 1:01:23 PM
Posts: 4,
Visits: 5
|
|
| Thanks for the reply, that makes sense. So how do I monitor failed RDP login attempts? And what is the purpose of the Logon Type 10?
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| That is one of the difficulties with Kerberos events - they can't tell you what logon type is taking place back on the system being logged onto. You will still see 4624 events with logon type 10 when the Kerberos authentication is successful. And you may see 4625 events when a user tries to logon with a local account to the server.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 2/17/2012 1:01:23 PM
Posts: 4,
Visits: 5
|
|
| Okay, that's what I was afraid of. Thanks for your help.
|
|
|
|