Share via

Continuous Logon Failure (0xC000006D) for machine account

Ganesan I 10 Reputation points
2025-02-14T07:57:46.0533333+00:00

Hi All,
Greetings!

We've been noticing continuous login failures from a machine account (file server). Both the source and destination (IP & Host) are itself. We've tried clearing the cache, re-establishing the trust using "nltest /sc_reset", rejoined the device to domain and updated all the patches. But still having the same issue. And no issues for any other users during login or accessing files.

As of my understanding, this logon failure is due to one service, which I can't find any trace of it in the logs (event viewer). Because I can see login success for the same account every day.
Frequency: Continuously during the office hours.

Below are the details,

Log source: Microsoft-Windows-Security-Auditing

Subject:

Security ID:		NULL SID

Account Name:		-

Account Domain:		-

Logon ID:		0x0

Logon Type: 3

Account For Which Logon Failed:

Security ID:		NULL SID

Account Name:		file-server$

Account Domain:		contoso

Failure Information:

Failure Reason:		An Error occured during Logon.

Status:			0xC000006D

Sub Status:		0x0

Process Information:

Caller Process ID:	0x0

Caller Process Name:	-

Network Information:

Workstation Name:	file-server

Source Network Address:	10.0.0.5  
Source Port:		63808

Detailed Authentication Information:

Logon Process:		

Authentication Package:	NTLM

Transited Services:	-

Package Name (NTLM only):	-

Key Length:		0

Log source : Microsoft-Windows-SMBServer/Security
SMB Session Authentication Failure

Client Name: \10.0.0.5

Client Address: 10.0.0.5:63808

User Name:

Session ID: 0x7C156400058D

Status: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xC000006D)

SPN: session setup failed before the SPN could be queried

SPN Validation Policy: SPN optional / no validation

I've referred many forums with this error code and scenario, but unable to solve this. Hoping for a solution here.

Windows for business | Windows Server | User experience | Other
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ganesan I 10 Reputation points
    2025-02-26T05:25:58.45+00:00

    Hi,

    The issue resolved.

    Due to a error, "SearchIndexer" service tried to save the index in the mentioned share location. But it was blocked by default due to this patch ,https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/accessing-server-locally-with-fqdn-cname-alias-denied

    Since, the mentioned changes to the registry is not recommended and disabling search indexer won't cause much hindrance, I stopped the WSearch service and hence resolved.

    Note: Use ProcMon, it will help you to check who/what accessed the resource.
    Thanks.

    2 people found this answer helpful.
    0 comments
  2. Yohann Mignon 1 Reputation point
    2026-03-12T13:55:59.5133333+00:00

    Hi,

    I'm in the same situation.

    Authentification through Kerberos to access a Share between two servers on Windows Server 2025 has stopped working after few days.

    But Indexer service is already disable on my side :/

    Same error :

    SMB Session Authentication Failure
Client Name: \\x.x.x.x
Client Address: x.x.x.x:58207
User Name: 
Session ID: 0xFFFFFFFFFFFFFFFF
Status: The attempted logon is invalid. This is either due to a bad username or authentication information. (0xC000006D)
SPN: session setup failed before the SPN could be queried
SPN Validation Policy: SPN optional / no validation
Guidance:
You should expect this error when attempting to connect to shares using incorrect credentials.
This error does not always indicate a problem with authorization, but mainly authentication. It is more common with non-Windows clients.
This error can occur when using incorrect usernames and passwords with NTLM, mismatched LmCompatibility settings between client and server, an incorrect service principal name, duplicate Kerberos service principal names, incorrect Kerberos ticket-granting service tickets, or Guest accounts without Guest access enabled

    0 comments
  3. Alex Burlachenko 19,465 Reputation points Volunteer Moderator
    2025-02-14T08:11:18.0033333+00:00

    hi,

    dig deeper into the SMB logs or enable detailed Kerberos logging to catch the root cause

    rgds

    alex

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.