Consider the following scenario:

  • You have multiple domains inside an Active Directory Domain Services (AD DS) forest to which Microsoft Forefront Unified Access Gateway (UAG) 2010 belongs.

  • You have users in a child domain of the forest.

  • You have Service Pack 3 for Forefront Unified Access Gateway 2010 or Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 3 installed.

  • The Account Domain field in the 4625 event displays the distinguished name (DN) of the parent domain.

  • You have users authenticating to Forefront UAG.

In this scenario, you may notice an increase in the number of failed logon tries in the Security event logs on the domain controllers. A user logging on to Forefront UAG may generate multiple 4625 events every time that they log on. This problem occurs when Forefront UAG tries to look up the groups from multiple sub-domains. The logged events do not affect the user logging on.

The 4625 events may resemble the following:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: datetime
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
An account failed to log on.
Security ID: SYSTEM
Account Name: UAG01$
Account Domain: CONTOSO
Logon ID: 0x3e7
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: username
Account Domain: DC=contoso,DC=com
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID:
Caller Process Name: -
Network Information:
Workstation Name: UAG01
Source Network Address:
Source Port: 12345


This problem occurs because multiple events are logged every time that a user logs on to Forefront UAG. In this case, enumeration of the groups in which the user is a member in other sub-domains is tried. These lookups may result in an incorrect query that triggers the failed logon events. 


To resolve this problem, install Service Pack 4 for Microsoft Forefront Unified Access Gateway 2010, and then follow the steps in the "More Information" section.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

To prevent Forefront UAG from enumerating groups on sub-domains, follow these steps:

  1. Create the following registry value:

    Registry subkey location: HKEY_LOCAL_MACHINE\Software\WhaleCom\e-Gap\von\UserMgr
    DWORD name: DoNotFetchSubdomainUserGroups
    DWORD Value: 1

  2. Apply Service Pack 4 for Forefront Unified Access Gateway 2010.

  3. Start the Microsoft Forefront UAG Management console, and then click Activate to apply the changes to your configuration.

  4. In the lower message pane, wait for the following informational message:

    Activation completed successfully.
    Note By default, informational messages are not enabled or displayed. To enable the informational messages, follow these steps:

    1. In the Forefront UAG Management console, on the Messages menu, click Filter Messages.

    2. On the Messages Filter dialog box, in the Message Window area, click to select the Information messages check box, and then click OK.

Note Setting this registry subkey has no functional effect on the logon process and prevents the failed logon tries from being raised.


See the terminology Microsoft uses to describe software updates.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!