Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

(Auidt failure - 4625) log caused by the Stas user in the domain

I have a Sophos xg210 model firewall. I use STAS to be included in the domain (Example Username: sophos_stas).

I have a server not included in the domain. When I examine the security logs of this server from the event logs, I get an audit failure error (4625) from the user "sophos_stas". I get hundreds of errors. the user causing the error is "sophos stas". The IP address is the IP address of my domain controller server.

How can I solve this problem?



This thread was automatically locked due to age.
  • Hi delivaldez

    Here are some specific situations that could trigger Event ID 4625, along with some recommended actions to fix the problem:

    1. Event log 4625 indicates that the failed logon attempt was due to an incorrect username or password: you should double-check the username used for logging on. If the username is correct, try resetting the user’s password and attempting to log in again.

    “What is Event ID 4625: An Account Failed to Log On Reset a user’s ad password
    2. The event log indicates that the user account is disabled or expired: check the account status in Active Directory Users and Computers or use another suitable AD tool. If the account is disabled, re-enable it.

    If the account is expired, extend the expiration date or create a new account for the user.

    enable or extend expiration of user's ad account to fix Event ID 4625
    3. Event log 4625 shows that the user is not permitted to logon into a computer: firstly, remove them from that group.

    Alternatively, adjust the group policy to allow login access to the group.

    What is Event ID 4625: An Account Failed to Log On
    4. The event log indicates that the failed logon attempt was due to network connectivity issues: Troubleshoot any network connectivity issues (firewalls or network routing problems).

    5. Check the event logs for related events, such as authentication failures or security events, that might provide additional information about the failed logon attempt.

    6. If there are multiple failed logon attempts from the same user account, it could be a sign of a hacking attempt or malware infection. Perform a full malware scan and investigate further.

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • I defined the ip address of the server in the clientless user section and the problem was solved.