Event ID 6273 — Network Policy Server denied access to a user.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Logon/Logoff → Network Policy Server
Collection Priority: Medium (Microsoft-AppendixL, others)
Opcode: Info

Description

Network Policy Server denied access to a user.

Message #

Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Fully Qualified Account Name: %4

Client Machine:
	Security ID: %5
	Account Name: %6
	Fully Qualified Account Name: %7
	OS-Version: %8
	Called Station Identifier: %9
	Calling Station Identifier: %10

NAS:
	NAS IPv4 Address: %11
	NAS IPv6 Address: %12
	NAS Identifier: %13
	NAS Port-Type: %14
	NAS Port: %15

RADIUS Client:
	Client Friendly Name: %16
	Client IP Address: %17

Authentication Details:
	Proxy Policy Name: %18
	Network Policy Name: %19
	Authentication Provider: %20
	Authentication Server: %21
	Authentication Type: %22
	EAP Type: %23
	Account Session Identifier: %24
	Reason Code: %25
	Reason: %26

Fields #

Name	Description
`SubjectUserSid` SID	[User] Security ID
`SubjectUserName` UnicodeString	[User] Account Name
`SubjectDomainName` UnicodeString	[User] Account Domain
`FullyQualifiedSubjectUserName` UnicodeString	[User] Fully Qualified Account Name
`SubjectMachineSID` SID	[Client Machine] Security ID
`SubjectMachineName` UnicodeString	[Client Machine] Account Name
`FullyQualifiedSubjectMachineName` UnicodeString	[Client Machine] Fully Qualified Account Name
`CalledStationID` UnicodeString	[Client Machine] Called Station Identifier
`CallingStationID` UnicodeString	[Client Machine] Calling Station Identifier
`NASIPv4Address` UnicodeString	[NAS] NAS IPv4 Address
`NASIPv6Address` UnicodeString	[NAS] NAS IPv6 Address
`NASIdentifier` UnicodeString	[NAS] NAS Identifier
`NASPortType` UnicodeString	[NAS] NAS Port-Type
`NASPort` UnicodeString	[NAS] NAS Port
`ClientName` UnicodeString	[RADIUS Client] Client Friendly Name
`ClientIPAddress` UnicodeString	[RADIUS Client] Client IP Address
`ProxyPolicyName` UnicodeString	[Authentication Details] Connection Request Policy Name
`NetworkPolicyName` UnicodeString	[Authentication Details] Network Policy Name
`AuthenticationProvider` UnicodeString	[Authentication Details] Authentication Provider
`AuthenticationServer` UnicodeString	[Authentication Details] Authentication Server
`AuthenticationType` UnicodeString	[Authentication Details] Authentication Type
`EAPType` UnicodeString	[Authentication Details] EAP Type
`AccountSessionIdentifier` UnicodeString	[Authentication Details] Account Session Identifier
`ReasonCode` UnicodeString	[Authentication Details] Reason Code
`Reason` UnicodeString	[Authentication Details] Reason
`LoggingResult` UnicodeString	[Authentication Details] Logging Results

Community Notes #

Large numbers of Reason 16 or 23 from the same IP or MAC indicates bruting of WiFi, VPN, 802.1x portals. Repeat denials for privileged accounts should be investigated.

References #

Microsoft Learn https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-6273
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-network-policy-server