Event ID 4823 — NTLM authentication failed because access control restrictions are required.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Opcode: Info

Description

NTLM authentication failed because access control restrictions are required.

Message #

NTLM authentication failed because access control restrictions are required.

Account Name: %1
Device Name: %2
Error Code: %3

Authentication Policy Information:
	Silo Name: %4
	PolicyName: %5

Fields #

Name	Description
`Account_Name` UnicodeString	—
`Device_Name` UnicodeString	—
`Error_Code` HexInt32	—
`Silo_Name` UnicodeString	[Authentication Policy Information] Silo Name.
`PolicyName` UnicodeString	[Authentication Policy Information] PolicyName.
`AccountName` UnicodeString	Account Name
`DeviceName` UnicodeString	Device Name
`Status` HexInt32	Error Code NTSTATUS reference
`SiloName` UnicodeString	[Authentication Policy Information] Silo Name

Community Notes #

NTLM authentication was blocked by access control restrictions (authentication policy or silo).

The Status field is an NTSTATUS code:

Code	Name	Description
0xC000006D	STATUS_LOGON_FAILURE	Generic failure
0xC0000413	STATUS_AUTHENTICATION_FIREWALL_FAILED	Blocked by authentication policy/silo

References #

Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4823