Description

The security package does not cache the credentials needed to authenticate to the server.

Message #

The security package does not cache the credentials needed to authenticate to the server.

Package Name: %1
User Name: %2
Domain Name: %3
Server Name: %4
Protected User: %5
Error Code: %6

Fields #

Related Events #

Description

A security package received a network logon request after the logoff completed.

Message #

A security package received a network logon request after the logoff completed.

User Name: %1
Domain Name: %2
Logon ID: %3
Logoff Time: %4
PID: %5
Program: %6
Principal Name: %7
Server Name: %8
Package Name: %9
Call Type: %10
Error Code: %11

Fields #

Description

Groups assigned to a new logon.

Message #

Groups assigned to a new logon.

New Logon:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4
	Logon GUID: %5

Event in sequence: %6 of %7

Group Membership: %8

Fields #

Example Event #

{
  "system": {
    "provider": "LsaSrv",
    "guid": "199FE037-2B82-40A9-82AC-E1D46C792B99",
    "event_source_name": "",
    "event_id": 300,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2023-11-06T02:03:41.600577+00:00",
    "event_record_id": 220,
    "correlation": {
      "ActivityID": "E4DB489E-1037-0001-0C49-DBE43710DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 844
    },
    "channel": "Microsoft-Windows-LSA/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "TargetUserSid": "S-1-5-20",
    "TargetUserName": "NETWORK SERVICE",
    "TargetDomainName": "NT AUTHORITY",
    "TargetLogonId": "0x3e4",
    "TargetLogonGuid": "00000000-0000-0000-0000-000000000000",
    "EventOrginal": 1,
    "EventCountTotal": 1,
    "SidList": "\r\n\t\t%{S-1-5-20}\r\n\t\t%{S-1-1-0}\r\n\t\t%{S-1-5-32-545}\r\n\t\t%{S-1-5-6}\r\n\t\t%{S-1-2-1}\r\n\t\t%{S-1-5-11}\r\n\t\t%{S-1-5-15}\r\n\t\t%{S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628}\r\n\t\t%{S-1-2-0}\r\n\t\t%{S-1-5-32-545}"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Claims assigned to a new logon.

Message #

Claims assigned to a new logon.

New Logon:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4
	Logon GUID: %5


	Logon Type: %6



Event in sequence: %7 of %8

User Claims: %9

Device Claims: %10

This event is generated when a new logon session is created and the user token associated with it contains user and/or device claims. The New Logon fields indicate the account that was logged on. If all the user and device claims in the user token cannot be accommodated in a single event, multiple such events are generated. The Event in sequence field indicates how many more events are generated for this logon session. Each user or device claim is represented in the following format:

	ClaimID ClaimTypeID : Value1, Value2 ? 

The common claim types are: 0 (Invalid Type), 1 (64-bit Integer, 2 (Unsigned 64-bit Integer), 3 (String), 4 (FQBN), 5 (SID), 6 (Boolean) and 16 (Blob). If the claim value exceeds the max allowed length then the string is terminated by ...

Fields #

Description

User UserSid logged off notification is received.

Message #

User %1 logged off notification is received.

LogonId: %2
AuthorityName: %3
AccountName: %4
Timeout: %5 seconds

Fields #

Example Event #

{
  "system": {
    "provider": "LsaSrv",
    "guid": "199FE037-2B82-40A9-82AC-E1D46C792B99",
    "event_source_name": "",
    "event_id": 302,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-14T21:58:13.455090+00:00",
    "event_record_id": 4682,
    "correlation": {},
    "execution": {
      "process_id": 940,
      "thread_id": 3528
    },
    "channel": "Microsoft-Windows-LSA/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "UserSid": "S-1-5-21-1006758700-2167138679-1475694448-1105",
    "LogonId": "0xc979b",
    "AuthorityName": "ludus",
    "AccountName": "domainadmin",
    "Elapse": 30
  },
  "message": ""
}

Description

The security package does not cache the user's sign on credentials.

Message #

The security package does not cache the user's sign on credentials.

Package Name: %1
User Name: %2
Domain Name: %3
Protected User: %4

Fields #

Example Event #

{
  "system": {
    "provider": "LsaSrv",
    "guid": "199FE037-2B82-40A9-82AC-E1D46C792B99",
    "event_source_name": "",
    "event_id": 303,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-13T20:06:34.507918+00:00",
    "event_record_id": 51,
    "correlation": {
      "ActivityID": "8B83AF9E-B321-0001-1AB0-838B21B3DC01"
    },
    "execution": {
      "process_id": 968,
      "thread_id": 7780
    },
    "channel": "Microsoft-Windows-LSA/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PackageName": "CREDSSP",
    "UserName": "LAB-DC01$",
    "DomainName": "ludus",
    "ProtectedUser": 0
  },
  "message": ""
}

Related Events #

Description

Automatic restart sign on successfully configured the autologon credentials for.

Message #

Automatic restart sign on successfully configured the autologon credentials for:

	Account Name: %1
	Account Domain: %2

Fields #

Description

Automatic restart sign on failed to configure the autologon credentials with error.

Message #

Automatic restart sign on failed to configure the autologon credentials with error:

%1

Fields #

Example Event #

{
  "system": {
    "provider": "LsaSrv",
    "guid": "199FE037-2B82-40A9-82AC-E1D46C792B99",
    "event_source_name": "",
    "event_id": 321,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 2305843009213693952,
    "time_created": "2026-03-14T01:38:46.851959+00:00",
    "event_record_id": 7296,
    "correlation": {
      "ActivityID": "C5FDF330-93D8-4242-8AA4-AC8874FCA611"
    },
    "execution": {
      "process_id": 984,
      "thread_id": 6436
    },
    "channel": "Microsoft-Windows-LSA/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Error": "\"{Access Denied}\r\nA process has requested access to an object, but has not been granted those access rights.\r\n (0xc0000022)\""
  },
  "message": ""
}

Description

Automatic restart sign on successfully deleted autologon credentials from LSA memory.

Message #

Automatic restart sign on successfully deleted autologon credentials from LSA memory

Description

The security package Package generated an exception. The exception information is the data.

Message #

The security package %1 generated an exception. The exception information is the data.

Fields #

Description

Could not upgrade the Trusted domain object for domain {Domain}. Please recreate the trust manually.

Message #

Could not upgrade the Trusted domain object for domain {Domain}. Please recreate the trust manually.

Fields #

Description

Could not upgrade the global secret Secret. Please check the status of all services in the system.

Message #

Could not upgrade the global secret %1. Please check the status of all services in the system.

Fields #

Description

LSA could not update domain information in the registry to match the DS. Error={Error}.

Message #

LSA could not update domain information in the registry to match the DS. Error={Error}.

Fields #

Description

The database contains invalid information for trusted domain {Domain}.

Message #

The database contains invalid information for trusted domain {Domain}.

Fields #

Message #

An anonymous session connected from %1 has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller.
 The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock DWORD value to 1.
 This message will be logged at most once a day.

Fields #

Message #

The new top level name; {TopLevelName}; has been added to the forest {Forestname}. Name suffix routing for this new name is disabled because it is not within any currently routed namespace. Objects can not be resolved from this new namespace until name suffix routing is enabled for the namespace. To enable name suffix routing; open Domains and Trusts and see help under Name Suffix Routing and Forest Trusts.

Fields #

Message #

During a logon attempt, the user's security context accumulated too many security IDs. This is a very unusual situation. Remove the user from some global or local groups to reduce the number of security IDs to incorporate into the security context.
User's SID is %1
If this is the Administrator account, logging on in safe mode will enable Administrator to log on by automatically restricting group memberships.

Fields #

Message #

The program %2, with the assigned Process ID %1, supplied a NULL or empty target name for the pszTargetName parameter when calling the InitializeSecurityContext API to initiate an outbound NTLM security context. This is a security risk when mutual authentication is required.
 
 To help protect against a malicious attack, make your code more secure. To do this, change the program so that it specifies a target name in the pszTargetName parameter field, and then recompile the code.

Fields #

Message #

The program %2, with the assigned process ID %1, could not authenticate locally by using the target name %3. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.
 
 Try a different target name.

Fields #

Example Event #

{
  "system": {
    "provider": "LsaSrv",
    "guid": "{199fe037-2b82-40a9-82ac-e1d46c792b99}",
    "event_source_name": "LsaSrv",
    "event_id": 6037,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2026-03-15T05:52:15.004853+00:00",
    "event_record_id": 13485,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "12832",
    "Data_1": "svchost.exe",
    "Data_2": "HOST/.",
    "Binary": ""
  },
  "message": ""
}

Message #

Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
 
NTLM is a weaker authentication mechanism. Please check:
 
      Which applications are using NTLM authentication?
      Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication?
      If NTLM must be supported, is Extended Protection configured?
 
Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

Fields #

Example Event #

{
  "system": {
    "provider": "LsaSrv",
    "guid": "{199fe037-2b82-40a9-82ac-e1d46c792b99}",
    "event_source_name": "LsaSrv",
    "event_id": 6038,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2022-04-07T17:39:24.046564+00:00",
    "event_record_id": 1326,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data_0": "",
    "Binary": ""
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message #

Microsoft Windows Server has detected that NTLM authentication is being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.
 
NTLM is a weaker authentication mechanism. Please check:
 
      Which applications are using NTLM authentication?
      Are there configuration issue preventing the use stronger authentication such as Kerberos authentication?
      If NTLM must be supported, is Extended Protection configured?
 
Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699.

Description

An authentication request for package Package was rejected because the target information was invalid. The authentication request did not match the target name of TargetName.

Message #

An authentication request for package %1 was rejected because the target information was invalid.  The authentication request did not match the target name of %2.

Fields #

Description

A CredSSP authentication to TargetName failed to negotiate a common protocol version. The remote host offered version TargetVersion which is not permitted by Encryption Oracle Remediation.

Message #

A CredSSP authentication to %1 failed to negotiate a common protocol version.  The remote host offered version %2 which is not permitted by Encryption Oracle Remediation.

See https://go.microsoft.com/fwlink/?linkid=866660 for more information.

Fields #

Description

A secret object private to LSA was queried by a client. This object was returned in encrypted format for security reasons.

Message #

A secret object private to LSA was queried by a client. This object was returned in encrypted format for security reasons.

Example Event #

{
  "system": {
    "provider": "LsaSrv",
    "guid": "199FE037-2B82-40A9-82AC-E1D46C792B99",
    "event_source_name": "",
    "event_id": 6144,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-09T00:56:02.886908+00:00",
    "event_record_id": 2014,
    "correlation": {
      "ActivityID": "4FECCB45-5562-44FC-B3DC-6A5D82E66B8A"
    },
    "execution": {
      "process_id": 764,
      "thread_id": 6788
    },
    "channel": "System",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6144
• Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6144

Description

An error occurred while retrieving new Central Access Policies for this machine.

Message #

An error occurred while retrieving new Central Access Policies for this machine.

Could not retrieve policies for the following DNs:
%1

Fields #

References #

• Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6145
• Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=6145

Description

An error occurred while processing new Central Access Policies for this machine. Validation failed for the following Central Access Rule referenced by one or more of the Central Access Policies.

Message #

An error occurred while processing new Central Access Policies for this machine. Validation failed for the following Central Access Rule referenced by one or more of the Central Access Policies:

	Error: %1

	Name: %2
	Description: %3

Fields #

Description

Credential Guard is configured to run, but is not licensed. Credential Guard was not started.

Message #

Credential Guard is configured to run, but is not licensed. Credential Guard was not started.

Description

The PDC completed an automatic trust scan operation for all trusts with no errors.

Message #

The PDC completed an automatic trust scan operation for all trusts with no errors.

More information can be found at https://go.microsoft.com/fwlink/?linkid=2162089.

Example Event #

{
  "system": {
    "provider": "LsaSrv",
    "guid": "199FE037-2B82-40A9-82AC-E1D46C792B99",
    "event_source_name": "",
    "event_id": 6148,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:08:01.191328+00:00",
    "event_record_id": 1299,
    "correlation": {},
    "execution": {
      "process_id": 664,
      "thread_id": 2808
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The PDC completed an automatic trust scan operation for all trusts and encountered at least one error.

Message #

The PDC completed an automatic trust scan operation for all trusts and encountered at least one error.

More information can be found at https://go.microsoft.com/fwlink/?linkid=2162089.

Description

The PDC completed an administrator-requested trust scan operation for the trust 'TrustName' with no errors.

Message #

The PDC completed an administrator-requested trust scan operation for the trust '%1' with no errors.

More information can be found at https://go.microsoft.com/fwlink/?linkid=2162089.

Fields #

Description

The PDC was unable to find the specified trust 'TrustName' to scan. The trust either does not exist or it is neither an inbound or bidirectional trust.

Message #

The PDC was unable to find the specified trust '%1' to scan. The trust either does not exist or it is neither an inbound or bidirectional trust.

More information can be found at https://go.microsoft.com/fwlink/?linkid=2162089.

Fields #

Message #

The PDC completed an administrator-requested trust scan operation for the trust '%1' and encountered an error. The security of the local forest is unaffected by this error. The trusting forest may be at risk until the issue is resolved.

More information can be found at https://go.microsoft.com/fwlink/?linkid=2162089.

Fields #

Description

The PDC encountered an error trying to scan the named trust. The security of the local forest is unaffected by this error. The trusting forest may be at risk until the issue is resolved.

Message #

The PDC encountered an error trying to scan the named trust. The security of the local forest is unaffected by this error. The trusting forest may be at risk until the issue is resolved.

Trust: %1

Error: %2(%3)

More information can be found at https://go.microsoft.com/fwlink/?linkid=2162089.

Fields #

Description

Possible use of roaming Credential Manager credentials with Credential Guard detected. This feature is unsupported. Refer to Credential Guard documentation for more details.

Message #

Possible use of roaming Credential Manager credentials with Credential Guard detected. This feature is unsupported. Refer to Credential Guard documentation for more details.

Description

LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.

Message #

LSA package is not signed as expected. This can cause unexpected behavior with Credential Guard.

PackageName: %1

Fields #

Example Event #

{
  "system": {
    "provider": "LsaSrv",
    "guid": "199FE037-2B82-40A9-82AC-E1D46C792B99",
    "event_source_name": "",
    "event_id": 6155,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:27.966390+00:00",
    "event_record_id": 1665,
    "correlation": {
      "ActivityID": "F590C418-1079-0001-5BC5-90F57910DA01"
    },
    "execution": {
      "process_id": 808,
      "thread_id": 812
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "PackageName": "msv1_0"
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Credential Guard auto enablement status.

Message #

Credential Guard auto enablement status.

Hardware Requirements for Virtualization Based Security: %1
Domain Joined: %2
Azure AD Joined: %3
 Licensed for Credential Guard: %4
Domain Controller: %5

Fields #

Example Event #

{
  "system": {
    "provider": "LsaSrv",
    "guid": "199FE037-2B82-40A9-82AC-E1D46C792B99",
    "event_source_name": "",
    "event_id": 6156,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-06T06:25:27.300426+00:00",
    "event_record_id": 1655,
    "correlation": {},
    "execution": {
      "process_id": 808,
      "thread_id": 812
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "HardwareChecks": 1,
    "ADDomainJoin": 0,
    "AADDomainJoin": 0
  },
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The PDC completed a background trust scan operation of the named trust.

Message #

The PDC completed a background trust scan operation of the named trust.

Trust: %1

More information can be found at https://go.microsoft.com/fwlink/?linkid=2162089.

Fields #

Description

Error reading Credential Guard (LsaIso.exe) UEFI configuration: Status.

Message #

Error reading Credential Guard (LsaIso.exe) UEFI configuration: %1

Fields #

Description

LsaIso.exe, the host process for Credential Guard and Key Guard, failed to launch: Status.

Message #

LsaIso.exe, the host process for Credential Guard and Key Guard, failed to launch: %1

Fields #

Description

Credential Guard configuration: Config, IsTestConfig, AutoEnabled.

Message #

Credential Guard configuration: %1, %2, %3

Fields #

Description

Key Guard was started and will protect VSM-isolated keys.

Message #

Key Guard was started and will protect VSM-isolated keys.

Description

Credential Guard was started and will protect LSA credentials.

Message #

Credential Guard was started and will protect LSA credentials.

Description

Credential Guard is configured but the secure kernel is not running; continuing without Credential Guard.

Message #

Credential Guard is configured but the secure kernel is not running; continuing without Credential Guard.

Description

VBS bound machine secret is present but falling back to LSA bound secret.

Message #

VBS bound machine secret is present but falling back to LSA bound secret.
Credential Guard running status: %1
VBS bound secret validity: %2

Fields #

Description

Machine Identity Isolation status.

Message #

Machine Identity Isolation status:
Credential Guard running: %1
Group Policy: %2
Machine secret source: %3
VBS bound secret validity: %4

Fields #

Description

There is a partial mismatch in the machine ID. This indicates that the ticket has either been manipulated or it belongs to a different boot session. Failing authentication.

Message #

There is a partial mismatch in the machine ID. This indicates that the ticket has either been manipulated or it belongs to a different boot session. Failing authentication.

Description

There is a partial mismatch in the machine ID. This indicates that the ticket has either been manipulated or it belongs to a different boot session. Failing authentication.

Description

LogonSession alive after interactive user logoff. Indicates a possible token leak in one of the services.

Message #

LogonSession alive after interactive user logoff. Indicates a possible token leak in one of the services. 
Logon ID:%1
Account Name:%2
Domain Name:%3

Fields #

Description

Moving the existing logon scripts from {OldScripts} to {NewScripts} failed. The return code is the data.

Message #

Moving the existing logon scripts from {OldScripts} to {NewScripts} failed.  The return code is the data.

Fields #

Description

Running the Security Configuration Editor over the Domain Controller encountered a non-fatal error. Further details can be obtained by examining the log file {Logfile}. The return code is the data.

Message #

Running the Security Configuration Editor over the Domain Controller encountered a non-fatal error.  Further details can be obtained by examining the log file {Logfile}.  The return code is the data.

Fields #

Description

An existing; incompatible trust object was found on the parent server for domain {DomainName}. It has been removed and replaced with an updated trust.

Message #

An existing; incompatible trust object was found on the parent server for domain {DomainName}.  It has been removed and replaced with an updated trust.

Fields #

Description

Failed to disable auto logon following the successful upgrade of a domain controller. Unable to delete registry key {Path}. The return code is the data.

Message #

Failed to disable auto logon following the successful upgrade of a domain controller.  Unable to delete registry key {Path}.  The return code is the data.

Fields #

Description

Failed to set the default logon domain to {DomainName}. The return code is the data.

Message #

Failed to set the default logon domain to {DomainName}.  The return code is the data.

Fields #

Description

During the demotion operation; the trust object on {ParentName} could not be removed.

Message #

During the demotion operation; the trust object on {ParentName} could not be removed.

Fields #

Description

Dcpromo failed to configure the new starttype of {Flags} for the service {ServiceName} during forced demotion.

Message #

Dcpromo failed to configure the new starttype of {Flags} for the service {ServiceName} during forced demotion.

Fields #

Description

Dcpromo failed to remove the dependency of {ServiceName} on {Dependency} during forced demotion.

Message #

Dcpromo failed to remove the dependency of {ServiceName} on {Dependency} during forced demotion.

Fields #

Description

The interdomain trust account for the domain {Domain} could not be deleted. The return code is the data.

Message #

The interdomain trust account for the domain {Domain} could not be deleted. The return code is the data.

Fields #

Description

The interdomain trust account for the domain {Domain} could not be created. The return code is the data.

Message #

The interdomain trust account for the domain {Domain} could not be created. The return code is the data.

Fields #

Message #

A lookup request was made that required connectivity to a domain controller in domain %1. The LSA was unable to find a domain controller in the domain and thus failed the request. Please check connectivity and secure channel setup from this domain controller to the domain %2.

Fields #

Message #

A lookup request was made that required connectivity to the domain controller %1. The local LSA was unable to contact the LSA on the remote domain controller. Please check connectivity and secure channel setup from this domain controller to the domain controller %2.

Fields #

Message #

A lookup request was made that required the lookup services on the remote domain controller %1. The remote domain controller failed the request thus the local LSA failed the original lookup request. Please check connectivity and secure channel setup from this domain controller to the domain controller %2.

Fields #

Description

The LSA was unable to register its RPC interface over the TCP/IP interface. Please make sure that the protocol is properly installed.

Message #

The LSA was unable to register its RPC interface over the TCP/IP interface. Please make sure that the protocol is properly installed.

Message #

The name {Name} was translated to SID {SID} from the trusted forest {Forest}. The domain portion of the SID is not in the list of acceptable SID's found on the trusted domain object; thus this name to SID translation has been ignored.

Fields #

Fields #

Description

The LSA was unable to notify UBPM during startup with status Status.

Message #

The LSA was unable to notify UBPM during startup with status %1.

Fields #

Description

The Security System detected an authentication error for the server Target. The failure code from authentication protocol Protocol was Error.

Message #

The Security System detected an authentication error for the server %1. The failure code from authentication protocol %2 was %3.

Fields #

Description

The Security System could not establish a secured connection with the server Target. No authentication protocol was available.

Message #

The Security System could not establish a secured connection with the server %1. No authentication protocol was available.

Fields #

Description

The Security System was unable to authenticate to the server Target because the server has completed the authentication, but the client authentication protocol Protocol has not.

Message #

The Security System was unable to authenticate to the server %1 because the server has completed the authentication, but the client authentication protocol %2 has not.

Fields #

Description

The Security System received an authentication attempt with an unknown authentication protocol. The request has failed.

Message #

The Security System received an authentication attempt with an unknown authentication protocol. The request has failed.

Description

The Security System has selected Protocol for the authentication protocol to server Target.

Message #

The Security System has selected %2 for the authentication protocol to server %1.

Fields #

Description

The Security System has received an authentication attempt, and determined that the protocol Protocol preferred by the client is acceptable.

Message #

The Security System has received an authentication attempt, and determined that the protocol %1 preferred by the client is acceptable.

Fields #

Description

The Security System has received an authentication request directly for authentication protocol Protocol.

Message #

The Security System has received an authentication request directly for authentication protocol %1.

Fields #

Description

The Security System has received an authentication request that could not be decoded. The request has failed.

Message #

The Security System has received an authentication request that could not be decoded. The request has failed.

Description

The Security System has received an authentication attempt, and determined that the protocol Protocol is the common protocol.

Message #

The Security System has received an authentication attempt, and determined that the protocol %1 is the common protocol.

Fields #

Description

The Security System has detected a downgrade attempt when contacting the 3-part SPN.

Message #

The Security System has detected a downgrade attempt when contacting the 3-part SPN 



 %1 



 with error code %2. Authentication was denied.

Fields #

Example Event #

{
  "system": {
    "provider": "LsaSrv",
    "guid": "199FE037-2B82-40A9-82AC-E1D46C792B99",
    "event_source_name": "",
    "event_id": 40970,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-13T23:06:30.699004+00:00",
    "event_record_id": 12309,
    "correlation": {},
    "execution": {
      "process_id": 936,
      "thread_id": 11176
    },
    "channel": "System",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Target": "ldap/LAB-DC01.ludus.domain/ludus.domain@LUDUS.DOMAIN",
    "Error": "\"The attempted logon is invalid. This is either due to a bad username or authentication information.\r\n (0xc000006d)\""
  },
  "message": ""
}

Description

Logon cache was disabled. Intermittent authentication failures may result during periods of network latency or interrupts. Please contact your system administrator.

Message #

Logon cache was disabled. Intermittent authentication failures may result during periods of network latency or interrupts. Please contact your system administrator.

Description

A failed logon attempt has caused a logon cache entry for user Username to be deleted. The authentication package was Package, and the error message was Error.

Message #

A failed logon attempt has caused a logon cache entry for user %1 to be deleted. The authentication package was %2, and the error message was %3.

Fields #

Description

A logon cache entry for user UserName was the oldest entry and was removed. The timestamp of this entry was TimeStamp.

Message #

A logon cache entry for user %1 was the oldest entry and was removed. The timestamp of this entry was %2.

Fields #