forgive me if I'm on the wrong tack here.  but with windows authentication, there is no inputting of the password into SQL....so there is no failed SQL logon (for password reasons anyway).

There may be a failed logon, because the windows logon is not registered in SQL....but if that's the case then there is no permissions to deny anyway...what's the point the user can't signon in the 1st place?

I think you are setting some hurdles that may be too high.