Windows security event (ID 4625) is logged with Discovery - Known Error

Windows security event (ID 4625) is logged with Discovery Description Even with credential affinities, the target machine may log a Windows security event with ID 4625. It appears in the Windows Event Viewer under Windows Logs > Security as "An account failed to log on." Discovery on the instance is successful. Steps to Reproduce

Prerequisite Setup

No common user account between the MID Server A and Windows machine B Discovery plugin activated MID Server A is on a Windows host with the service account running as LocalSystem (default) Procedure

Add a Windows credential to successfully discover the Windows machine B.

Run a discovery to target Windows machine B with MID Server A.

Allow discovery to finish successfully.

Log in to machine B and open the Event Viewer.

NOTE: There should be a 4625 event logged with the user name that logged in to machine A.

Keywords: Audit Failure Source: Microsoft Windows security auditing. Event ID: 4625 Task Category: Logon Within the General Details area, messages will indicate that the attempt came from the MID Server host within the Network Information section.

Run discovery again.

NOTE: Even though a credential affinity is used, Microsoft will log an Audit Failure event to notify administrators when impersonation is being used.

Workaround For a Windows probe, ServiceNow uses impersonation to run a script as a credentialed user on a remote target. To verify that you have access to the target machine, execute the following command: $results = gwmi win32_operatingsystem -computer $computer -credential $cred - impersonation 3 -authentication 6 -EA "Stop";

If this command fails, iterate to the next credential. If it passes, continue to execute the intended script against the target.

Based on the post When using Get-WMIObject, it uses current user credential first before using "-Credential" parameter on Microsoft forums, when impersonation is used, Windows will first attempt to run as the current user (or service account) before using the specified credential. Therefore, this is working as designed per Microsoft. Impersonation has existed in discovery for a while so at least one security event per probe will always be logged per probe; more if other commands in the script require impersonation.

Windows first tries to authenticate as the MID Server Windows service account. If this account has access to the target, no Audit Failure event is logged. To accomplish this, have a MID Server discover targets within the same domain.