I'm using the method AcceptSecurityContext (https://msdn.microsoft.com/en-us/library/windows/desktop/aa374708(v=vs.85).aspx) to establish a secure connection, but this seems to trigger (two) audit failure events in the Windows event log. The events have ID 4625 which seems to indicate that they represent failed login attempts, but the AcceptSecurityContext call returns the status SEC_E_OK. How can this be? I would expect that the method would return STATUS_LOGON_FAILURE if it was a real failure. And the login seems to work, because I'm able to proceed with the communication.
Does anyone have an idea on how to avoid these messages? Help would be greatly appreciated.
The event seems to be logged on Windows server only (I've tried 2016, 2012 and 2008). I don't see the event on Windows 10.
The errors were produced when Windows tried to authenticate the certificate used in the security context handshake against the Windows AD server. Further information on the theory on why this is the default behavior would be interesting, but in my case the certificate does not represent any AD entity. It is used only between services on a single machine to allow secure communication between those services. I could therefore simply turn off the Windows authentication mechanism during the call to AcquireCredentialsHandle by setting the dwFlags part of the SCHANNEL_CRED structure like this: