- Local time
- 2:28 AM
- Posts
- 36
- OS
- Windows 11
Hello all,
After the monthly updates last night my remote computer rebooted, and I can no longer login with the same credentials that I have been using. I can go to the remote computer and log in physically with the credentials, so this is not the issue.
The error on the client is "The logon attempt failed".
On the target server, I see the following in the Security event log:
```
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: <USER>
Account Domain: -
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: <NAME>
Source Network Address: <IP>
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
```
I have spent the morning with Grok and here are a few of the remedies I have tried, none of which worked:
```
```
6. Client-Side Checks
```
- nothing in Applications and Services Logs > Microsoft > Windows > TerminalServices-RemoteConnectionManager and TerminalServices-LocalSessionManager
- I have also created a new account/profile altogether, but I still run into the same issue.
At a loss now, and I have exhausted all obvious options to me, opening a ticket here to help further diagnose.
Thank you for any assistance you can provide.
After the monthly updates last night my remote computer rebooted, and I can no longer login with the same credentials that I have been using. I can go to the remote computer and log in physically with the credentials, so this is not the issue.
The error on the client is "The logon attempt failed".
On the target server, I see the following in the Security event log:
```
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: <USER>
Account Domain: -
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: <NAME>
Source Network Address: <IP>
Source Port: 0
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
```
I have spent the morning with Grok and here are a few of the remedies I have tried, none of which worked:
```
- Action:
- Open Local Security Policy (run secpol.msc).
- Navigate to Local Policies > Security Options:
- Set Network security: LAN Manager authentication level to Send NTLMv2 response only. Refuse LM & NTLM.
- Ensure Accounts: Limit local account use of blank passwords to console logon only is disabled if applicable (though not relevant since credentials are valid).
- Check Group Policy:
- Open Group Policy Editor (run gpedit.msc).
- Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security.
- Set Require secure RPC communication to Disabled.
- Set Require user authentication for remote connections by using Network Level Authentication to Disabled (to match Step 2).
- If the machine is on a domain, check with the domain administrator if recent Group Policy updates are affecting RDP.
- Test: Apply changes, run gpupdate /force in Command Prompt, and try RDC.
```
6. Client-Side Checks
- Why: The client machine’s configuration or cached credentials could contribute to the issue.
- Action:
- Clear cached credentials on the client:
- On the client machine, go to Control Panel > User Accounts > Credential Manager.
- Under Windows Credentials, remove any entries for the target machine’s IP or hostname.
- Update the RDP client:
- Ensure the client machine is fully updated (check Windows Update).
- Alternatively, download the latest Microsoft Remote Desktop app from the Microsoft Store.
- Test RDC from a different client machine to rule out client-specific issues.
- Clear cached credentials on the client:
- Test: Try RDC after clearing credentials and updating the client.
```
- Run System File Checker to repair corrupted system files:
- Open Command Prompt as Administrator and run sfc /scannow.
- If errors are found, run DISM /Online /Cleanup-Image /RestoreHealth to repair the system image, then rerun sfc /scannow.
- Check registry for RDP settings:
- Open Regedit and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server.
- Ensure fDenyTSConnections is set to 0 (enables RDP).
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.
- Ensure SecurityLayer is set to 2 (or try 1 for RDP Security Layer instead of TLS).
- Run System File Checker to repair corrupted system files:
- Test: After rolling back updates or repairing files, attempt RDC.
- nothing in Applications and Services Logs > Microsoft > Windows > TerminalServices-RemoteConnectionManager and TerminalServices-LocalSessionManager
- I have also created a new account/profile altogether, but I still run into the same issue.
At a loss now, and I have exhausted all obvious options to me, opening a ticket here to help further diagnose.
Thank you for any assistance you can provide.
- Windows Build/Version
- Version 24H2 (OS Build 26100.6584)
My Computer
At a glance
Windows 11Ryzen 9 5950x128GB: Patriot Memory Viper Elite II DDR4 64G...GeForce GTX 1050ti
- OS
- Windows 11
- Computer type
- PC/Desktop
- Manufacturer/Model
- MSI x570 Gaming Plus
- CPU
- Ryzen 9 5950x
- Motherboard
- MSI
- Memory
- 128GB: Patriot Memory Viper Elite II DDR4 64GB(2 x 32GB) 3600MHz Kit
- Graphics Card(s)
- GeForce GTX 1050ti
- Hard Drives
- DiskNVMe Samsung_SSD_990_PRO_with_Heatsink
- PSU
- Seasonic PRIME Snow Silent 650 Platinum SSR-650PD2 650W 80+ Platinum ATX12V & EPS12V Full Modular 135mm FDB Fan Power On Self Tester 12 Year Warranty Power Supply color white
Otherwise, I would test that for you.
So the server was the original, and I cloned it for the client that is now connecting to it. I am pretty sure that is it. 
THANK YOU!
I had to make Grok Think Harder and it recommened PsGetSid from SysInternals. Turns out I have that already locally and I tried it on both machines... they are the same! So this looks very much related and I will see if I can change one of them with SIDCHG.
It was a good if but sudden reminder to continue this.
What can I say, I like punching myself in the face these days. Oh well, at least I supported an independent software vendor. Hopefully, some good karma out there for others who need it. 
WARNING: You may have to re-activate software after running this utility!!! 
