RDP NLA and ID 4624 Logon Type3
Note:I translated Japanese into English using Google Translate.
Thank you, Google.
If NLA(Network Level Authentication) is enabled for RDP connection, event ID 4624 logon type 3 will be recorded in the security log.
Is there a way to determine the event ID 4624 logon type 3 recorded by NLA?
----------
Configure RDP in a test environment (Windows 10). Enable NLA in RDP settings.
Connect to Windows 10 with MSTSC.EXE. Certification is required by NLA.
Event ID 4624 Logon Type 3 is recorded in the security log when I enter the correct authentication information.
Event ID 4624 Logon Type 10 was recorded as the RDP connection was successful.
My question is, can I link this event to the NLA event ID 4624 Logon Type 3 record?
Unfortunately, Logon ID can not connect two events.
Let's check the event log related to RDP.
ID 1149 is recorded at a very similar time to "ID 4624 logonType 3".
Arrange three events in time order. Although the timestamps do not match exactly, I can confirm that they are very close values.
2019-04-07T10:17:12.733209800Z ID 4624 Logon Type 3
2019-04-07T10:17:12.742504600Z ID 1149 Remote Desktop Services: User authentication succeeded:
2019-04-07T10:17:14.815911800Z ID 4624 Logon Type 10
Is there any information that links ID 1149 other than time stamp? I tried to compare the Correlation values, but this is not the same.
ID 4624 Logon Type 3:
Correlation
[ ActivityID] {31290b36-ed74-0000-4d0c-293174edd401}ID 1149
Correlation
[ ActivityID] {f4208d55-a62e-41d8-a71b-58a083da0000}
Let's include the log of "Microsoft-Windows-TerminalServices-LocalSessionManager".
2019-04-07T10:17:12.733209800Z ID 4624 Logon Type 3
2019-04-07T10:17:12.742504600Z ID 1149 Remote Desktop Services: User authentication succeeded:
2019-04-07T10:17:14.815911800Z ID 4624 Logon Type 10
2019-04-07T10:17:14.859104600Z ID 41 Begin session arbitration:
2019-04-07T10:17:18.317919800Z ID 42 End session arbitration:
2019-04-07T10:17:20.549253300Z ID 21 Remote Desktop Services: Session logon succeeded:
When I sign out of RDP, Event ID 4634 logon type 3 is recorded. You can associate the ID 4624 with the Logon ID value(0x1E98FF).
Let's arrange the log of "Microsoft-Windows-TerminalServices-LocalSessionManager" and ID 4634 in order of time.
2019-04-07T11:29:28.977682900Z ID 4647 User initiated logoff:
2019-04-07T11:29:29.028431800Z ID 23 Remote Desktop Services: Session logoff succeeded:
2019-04-07T11:29:29.396625500Z ID 40 Session 2 has been disconnected, reason code 12
2019-04-07T11:29:29.474687900Z ID 4634 An account was logged off.
2019-04-07T11:29:29.486780000Z ID 24 Remote Desktop Services: Session has been disconnected:
Is it a good idea to link ID 24 and ID 4634 with a timestamp and search for ID 4624 by Logon ID?
Reference URL: