Skip to Content

How Can I Fix NTLM Authentication Failures Caused by Duplicate Machine SIDs on My Network?

By: Author Alex Lim

Posted on

Categories Troubleshooting

Home » Troubleshooting » How Can I Fix NTLM Authentication Failures Caused by Duplicate Machine SIDs on My Network?

Why Am I Seeing Kerberos Login Errors After Recent Windows 11 and Server 2025 Updates?

Recent updates to Windows 11 and Windows Server 2025 may cause login problems on your network. If users are experiencing repeated password prompts or access errors, the cause could be duplicate Security IDs (SIDs) on different machines.

A SID is a unique identifier that Windows assigns to each computer, user, and group to manage security and access. When you clone a computer’s hard drive without proper preparation, this unique SID can be duplicated. While this was not always a problem, Microsoft updates from August and September 2025 now enforce stricter checks, causing authentication with duplicate SIDs to fail.

Identify the Problem

This issue affects Windows 11 versions 24H2 and 25H2, as well as Windows Server 2025, if the following updates are installed:

  • KB5064081 (released August 29, 2025)
  • KB5065426 (released September 9, 2025)

You can confirm this is your issue if you observe these symptoms:

  • Users are constantly asked to enter their username and password.
  • Logins fail with messages like “The username or password is incorrect” or “There is a partial mismatch in the machine ID.”
  • Accessing shared network folders by IP address or hostname does not work.
  • Remote Desktop connections fail.
  • The Windows Event Viewer shows an error in the security protocol listed as SEC_E_NO_CREDENTIALS or displays Event ID 6167 in the system log.

Resolve the Authentication Errors

The core of the problem is that multiple computers have the same identity on the network. To fix this, each machine needs its own unique SID.

Permanent Solution

The correct and permanent way to resolve this is to ensure every machine has a unique SID. This is typically done by using the System Preparation Tool (Sysprep) before cloning a Windows installation. Sysprep removes machine-specific information, like the SID, from a Windows image. When a new computer starts from this image, it generates a new, unique SID.

If you already have affected machines on your network, you must change their SIDs. This often requires setting up the machine again from a properly prepared (sysprepped) image. Some third-party tools may also be able to change an existing SID.

Temporary Workaround

For a temporary fix, you can request a special group policy from Microsoft to bypass the new SID check. To get this policy, you must contact Microsoft Enterprise Support directly. This should only be used as a short-term measure while you work on assigning unique SIDs to all affected computers.