Finding the IP of a computer causing Event ID 4776

Logging onto an AD Server this week, we found a very worrying event in the Security Event Viewer when we saw Event ID 4776 Audit Failure every few seconds. The problem with this event is that if it does not pass on authentication, it gives you no information on where it originates.

Let’s start with why this event displays on the Domain Controller displays this message.

Local Policies

On the server, open your Local Security Policy, browse to Local Policies -> Audit Policy, and find the option, Audit Account Logon Events. Once open both options for Sucess and Failure should be Selected.

Local Security Policy

The Short Explanation:
This security setting determines whether the OS audits each time this computer validates an account’s credentials.

Scenarios

The Original scenario is we have a firewall that controls internet access based on the group each user belongs to. For the firewall to give the correct internet access at the right location the above-mentioned Policy needs to be enabled. This purely generates the logs in the Security Event Viewer. The second thing that occurred is there were some Ports opened for Specific applications to allow access from outside the network, this is where we eventually traced the authentication requests from.

While trying to set up a testing environment I could not replicate these log files on the domain controller until the Policy was enabled. The Test environment was set up with Three machines, a Newly set up Domain, a File server to authenticate to, and a Workstation to generate Authentication Errors.

File Server

The File server has a simple Share on it which only allows access to Domain Admins and Domain Users.
The IP of the server is 172.16.1.11 and the Server Name is ZADBNKSIT001VM. Because the authentication is done against it directly the Event does Display the Workstation Originating IP and Name.

Event 4776

Workstation

The Workstation runs a simple script that authenticates continually against the File Server with the following command:

net use \\172.16.1.11\Software /user:ad\admin RandomPassword

The details do not matter is just generate different Status codes and Failure reasons depending on the details being used for Authentication.

Workstation IP: 172.16.1.2
Workstation Name: The_FN_Workstation

As you can see the Workstation name does not display correctly based on what it actually is in the log file.

Status Codes

Below is a list of Status Codes a quick search online gave us.

Status CodeDescription
C0000064The username does not exist
C000006AThe username is correct but the password is wrong
C0000234The user is currently locked out
C0000072The account is currently disabled
C000006FThe user tried to log on outside their day-of-the-week or time-of-day restrictions
C0000070The user attempted to log on from a restricted workstation
C0000193The user tried to log on with an expired account
C0000071The user tried to log on with a stale password
C0000224The user is required to change their password at the next logon
C0000225Evidently a bug in Windows and not a risk

Domain Controller

The Domain Controller is where the issue was originally found on. The Logs were very simple and due to the Traffic originating from outside it was not possible to resolve a hostname to IP.

Event 4776

To get more detail on this we need to enable additional Logging. To do this open Command Prompt (CMD) in Admin Mode on the server where you require the additional information, use the following command:

nltest /dbflag:0x2080ffff

This creates a file in %windir%\debug\ named netlogon.log
The created file logs additional logon request information like where it originates from.

nltest /dbflag:0x2080ffff
%windir%\debug\netlogon.log 
nltest /dbflag:0x0

When you got the information you required remember to turn off the logging with the command:

nltest /dbflag:0x0

********************************************************

If you liked what you read Please Share.
I’d love it if you followed me on YouTube and Facebook.

Also, feel free to subscribe to my posts by email.
Donations for the site can be made here.
Thanks for reading.

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *