4625- Security Microsoft Unified Security Protocol Provider SChannel

Question

4625- Security Microsoft Unified Security Protocol Provider SChannel

Radhika Sridhar 20

While calling sslStream.AuthenticateAsServer(this.serverCertificate, true, SslProtocols.Tls12, false) method throwing below Audit information error

An account failed to log on.

Subject:

Security ID:		NULL SID

Account Name:		-

Account Domain:		-

Logon ID:		0x0

Logon Type: 3

Account For Which Logon Failed:

Security ID:		NULL SID

Account Name:		

Account Domain:		-

Failure Information:

Failure Reason:		An Error occured during Logon.

Status:			0xC000006D

Sub Status:		0x80090325

Process Information:

Caller Process ID:	0x0

Caller Process Name:	-

Network Information:

Workstation Name:	-

Source Network Address:	-

Source Port:		-

Detailed Authentication Information:

Logon Process:		Schannel

Authentication Package:	Microsoft Unified Security Protocol Provider

Transited Services:	-

Package Name (NTLM only):	-

Key Length:		0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

- Transited services indicate which intermediate services have participated in this logon request.

- Package name indicates which sub-protocol was used among the NTLM protocols.

- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Please guide me how to fix this?

3 answers

Your answer

Answer 1

Raymond Huynh (WICLOUD CORPORATION) 4,235 Microsoft External Staff Moderator

Hello Radhika Sridhar,

Thanks for sharing the context. This event looks confusing, but it’s actually a normal 4625 failed-logon entry.

Microsoft’s official description of Event ID 4625 is here:

https://xtls-v4.hkg1.meaqua.org/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4625

This explains that Windows logs 4625 whenever an authentication attempt fails, including cases where the system cannot identify a real user account.

Your event shows:

• Logon Type 3 (network)

• NULL SID and no username

• Status 0xC000006D (“invalid credentials”)

This normally happens when a service, device, or application tries to connect with incorrect credentials or an invalid / expired certificate. The system never gets far enough to map the connection to a user, so it logs 4625 with minimal identity info.
For comparison, here is another Microsoft Q&A thread showing similar behavior caused by TLS / SChannel handshake failures: https://xtls-v4.hkg1.meaqua.org/en-us/answers/questions/3883421/windows-logon-failure-4625

Please check for these:

• The source IP to confirm the device making the request

• Any services or scheduled tasks using old credentials

• Whether the client is using an expired or untrusted certificate

Hope this helps!

Radhika Sridhar 20 Reputation points

2025-12-11T11:21:21.4+00:00

Please help us why this is happening during certificate authentication
David AVILA 5 Reputation points

2025-12-12T19:01:43.8333333+00:00

Hi, I have the same problem on 3 computers (Win11 Pro + all updates) when they are trying to access on a server (a Win11 Pro configure as a workgroup server). The problem is appeared after installing KB5072033 on the "server"... and it works again after uninstalling this KB on the server... If I reinstall the KB, the problem came back... The problem is present with 3 Win11Pro computers... but I don't have the problem to accessing the server on a 4th computer, with the same Win11 version and updates (with or without the KB on the "server") !!!
Raymond Huynh (WICLOUD CORPORATION) 4,235 Reputation points Microsoft External Staff Moderator

2025-12-22T10:40:05.0133333+00:00

Hello Radhika Sridhar and David AVILA,

If you’ve checked your certificates and configuration and things still aren’t working in your specific environment, it’s reasonable to open a support case with Microsoft Support so they can look at your logs and setup directly. The forum can explain general behavior, but deeper diagnostics for your exact scenario is something only support can do.

Microsoft Support – Contact Us (general support/help page): https://support.microsoft.com/en-us/contactus/

If someone needs to open a formal support case (especially for a deeper issue that can’t be solved on the community forum), they can also use the Microsoft Services Hub support request system here: https://xtls-v4.hkg1.meaqua.org/en-us/services-hub/unified/support/open-support-requests
David AVILA 5 Reputation points

2025-12-22T10:56:35.9133333+00:00

Hi, I had solved the problem... it was a duplicated Windows SID problem. Since the August update, the SID is used too to validate LAN access. You must have a different SID on server and computers...
Raymond Huynh (WICLOUD CORPORATION) 4,235 Reputation points Microsoft External Staff Moderator

2025-12-23T02:57:07.19+00:00

Thanks David AVILA for the update, i'm glad you solved this issue!

Answer 2

The error you are encountering indicates a failed logon attempt during the SSL/TLS handshake process using the SslStream.AuthenticateAsServer method. The specific failure reason, 0xC000006D, corresponds to a logon failure due to an unknown user name or bad password. The sub-status 0x80090325 suggests that there is an issue related to the security context or credentials being used.

Here are some steps you can take to troubleshoot and resolve this issue:

Check Server Certificate: Ensure that the server certificate you are using is valid, correctly installed, and trusted by the client. The certificate should not be expired or revoked.
Validate Client Credentials: If the server requires client authentication, make sure that the client is providing valid credentials that match the expected user account.
Review Security Policies: Check the local security policies and group policies on the server to ensure that there are no restrictions preventing the logon. Specifically, look for settings related to NTLM authentication and logon rights.
Enable Protocols: Ensure that the required TLS protocols are enabled on both the server and client sides. Since you are using SslProtocols.Tls12, verify that TLS 1.2 is enabled in the system settings.
Inspect Event Logs: Review the Windows Event Logs for any additional error messages or warnings that might provide more context about the failure. Look for events related to security and logon failures.
Network Configuration: Ensure that there are no network issues preventing the client from reaching the server. Check firewall settings and network configurations that may affect connectivity.
Use Detailed Logging: If the issue persists, consider enabling detailed logging for the SslStream to capture more information about the handshake process. This can help identify where the failure occurs.

By following these steps, you should be able to identify and resolve the underlying issue causing the logon failure during the SSL/TLS authentication process.

References:

Answer 3

Radhika Sridhar 20

Please help us why this is happening during certificate authentication

Share via

4625- Security Microsoft Unified Security Protocol Provider SChannel

3 answers

Your answer