I need to log all failed authentication attempts against my Active Directory domain. An external app binds to MS AD via LDAPS and uses AD for user authentication requests.
When the wrong user or password is used, I do not see audit events on the DC Event Viewer (Windows Logs > Security).
I tested basic scenarios to try & understand what gets audited:
- RDP to DC using a valid username but wrong password. No new Audit event. Why?
- RDP to DC using a non-existent username. Yes! Audit Failure logged EventID 4625 "Unknown user name or bad password".
- RDP to DC using "test" username which exists in AD but account is disabled. No new Audit event. Why?
How can I log all the above events? Ultimately, what I need logged are failed authentication attempts from external app which authenticates against my AD using domain credentials.
Do I need to enable Advanced Auditing?
Is Event Forwarding necessary?
To enable logging of failed attempts, you need to use "Advanced Audit Policy Configuration" in the Group Policy Management Editor to enable audit logging of successful and failed logon attempts.
This would enable logging of successful and failed logon attempts. If you only want to log failed attempts, simply select Failure only on step 4.