Symptoms

Consider the following scenario:

  • You have multiple domains inside an Active Directory Domain Services (AD DS) forest to which Microsoft Forefront Unified Access Gateway (UAG) 2010 belongs.

  • You have users in a child domain of the forest.

  • You have Service Pack 3 for Forefront Unified Access Gateway 2010 or Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 3 installed.

  • The Account Domain field in the 4625 event displays the distinguished name (DN) of the parent domain.

  • You have users authenticating to Forefront UAG.

In this scenario, you may notice an increase in the number of failed logon tries in the Security event logs on the domain controllers. A user logging on to Forefront UAG may generate multiple 4625 events every time that they log on. This problem occurs when Forefront UAG tries to look up the groups from multiple sub-domains. The logged events do not affect the user logging on.

The 4625 events may resemble the following:

Log Name: SecuritySource: Microsoft-Windows-Security-AuditingDate: datetimeEvent ID: 4625Task Category: LogonLevel: InformationKeywords: Audit FailureUser: N/AComputer: dc1.contoso.comDescription:An account failed to log on.Subject:Security ID: SYSTEMAccount Name: UAG01$Account Domain: CONTOSOLogon ID: 0x3e7Logon Type: 3Account For Which Logon Failed:Security ID: S-1-0-0Account Name: usernameAccount Domain: DC=contoso,DC=comFailure Information:Failure Reason: Unknown user name or bad password.Status: 0xc000006dSub Status: 0xc0000064Process Information:Caller Process ID: Caller Process Name: -Network Information:Workstation Name: UAG01Source Network Address: 192.168.0.1Source Port: 12345

Cause

This problem occurs because multiple events are logged every time that a user logs on to Forefront UAG. In this case, enumeration of the groups in which the user is a member in other sub-domains is tried. These lookups may result in an incorrect query that triggers the failed logon events. 

Resolution

To resolve this problem, install Service Pack 4 for Microsoft Forefront Unified Access Gateway 2010, and then follow the steps in the "More Information" section.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

To prevent Forefront UAG from enumerating groups on sub-domains, follow these steps:

  1. Create the following registry value:

    Registry subkey location: HKEY_LOCAL_MACHINE\Software\WhaleCom\e-Gap\von\UserMgrDWORD name: DoNotFetchSubdomainUserGroupsDWORD Value: 1

  2. Apply Service Pack 4 for Forefront Unified Access Gateway 2010.

  3. Start the Microsoft Forefront UAG Management console, and then click Activate to apply the changes to your configuration.

  4. In the lower message pane, wait for the following informational message:

    Activation completed successfully.Note By default, informational messages are not enabled or displayed. To enable the informational messages, follow these steps:

    1. In the Forefront UAG Management console, on the Messages menu, click Filter Messages.

    2. On the Messages Filter dialog box, in the Message Window area, click to select the Information messages check box, and then click OK.

Note Setting this registry subkey has no functional effect on the logon process and prevents the failed logon tries from being raised.

References

See the terminology Microsoft uses to describe software updates.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders