Skip to page contentSkip to chat
ServiceNow support
    • Community
      Ask questions, give advice, and connect with fellow ServiceNow professionals.
      Developer
      Build, test, and deploy applications
      Documentation
      Find detailed information about ServiceNow products, apps, features, and releases.
      Impact
      Accelerate ROI and amplify your expertise.
      Learning
      Build skills with instructor-led and online training.
      Partner
      Grow your business with promotions, news, and marketing tools
      ServiceNow
      Learn about ServiceNow products & solutions.
      Store
      Download certified apps and integrations that complement ServiceNow.
      Support
      Manage your instances, access self-help, and get technical support.
Windows security event (ID 4625) is logged with Discovery - Known Error
  • >
  • Knowledge Base
  • >
  • Known Error (Knowledge Base)
  • >
  • Windows security event (ID 4625) is logged with Discovery
KB0683187

Windows security event (ID 4625) is logged with Discovery


5800 Views Last updated : Mar 21, 2025 public Copy Permalink
KB Summary by Now Assist

Description

Even with credential affinities, the target machine may log a Windows security event with ID 4625. It  appears in the Windows Event Viewer under Windows Logs > Security as "An account failed to log on."
 
Discovery on the instance is successful.

Steps to Reproduce

Prerequisite Setup

  • No common user account between the MID Server A and Windows machine B
  • Discovery plugin activated
  • MID Server A is on a Windows host with the service account running as LocalSystem (default)

Procedure

  1. Add a Windows credential to successfully discover the Windows machine B.

  2. Run a discovery to target Windows machine B with MID Server A.

  3. Allow discovery to finish successfully.

  4. Log in to machine B and open the Event Viewer.

    NOTE: There should be a 4625 event logged with the user name that logged in to machine A.

    • Keywords: Audit Failure
    • Source: Microsoft Windows security auditing.
    • Event ID: 4625
    • Task Category: Logon

    Within the General Details area, messages will indicate that the attempt came from the MID Server host within the Network Information section.

  5. Run discovery again.

    NOTE: Even though a credential affinity is used, Microsoft will log an Audit Failure event to notify administrators when impersonation is being used.

 

 

Workaround

For a Windows probe, ServiceNow uses impersonation to run a script as a credentialed user on a remote target. 

To verify that you have access to the target machine, execute the following command:
$results = gwmi win32_operatingsystem -computer $computer -credential $cred -impersonation 3 -authentication 6 -EA "Stop";

If this command fails, iterate to the next credential. If it passes, continue to execute the intended script against the target.

Based on the post When using Get-WMIObject, it uses current user credential first before using "-Credential" parameter on Microsoft forums, when impersonation is used, Windows will first attempt to run as the current user (or service account) before using the specified credential. Therefore, this is working as designed per Microsoft. Impersonation has existed in discovery for a while so at least one security event per probe will always be logged per probe; more if other commands in the script require impersonation.

Windows first tries to authenticate as the MID Server Windows service account. If this account has access to the target, no Audit Failure event is logged. To accomplish this, have a MID Server discover targets within the same domain.


Related Problem: PRB1239785

The world works with ServiceNow.

Sign in for more! There's more content available only to authenticated users Sign in for more!
Did this KB article help you?
Did this KB article help you?

How would you rate your Now Support digital experience?

*

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

Very unsatisfied

Unsatisfied

Neutral

Satisfied

Very satisfied

What can we improve? Please select all that apply.

What are we doing well? Please select all that apply.

Tell us more

*

Do you expect a response from this feedback?

  • Terms and conditions
  • Privacy statement
  • GDPR
  • Cookie policy
  • © 2025 ServiceNow. All rights reserved.