Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, August 14, 2012 6:11 AM
Dear community,
I have got tons of Security Events on my Exchange-Server (EX01) and on the DC's because of a locked out User Account. How can I trace, where all those authentication requests originate?
I can see that the Caller Process Name is: C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe. But how can I trace it further?
"Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 8/13/2012 2:44:07 PM
Event ID: 4625
Task Category: Account Lockout
Level: Information
Keywords: Audit Failure
User: N/A
Computer: EX01.example.lan
Description:
An account failed to log on.
Subject:
Security ID: NETWORK SERVICE
Account Name: EX01$
Account Domain: EXAMPLE
Logon ID: 0x3e4
Logon Type: 8
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: [email protected]
Account Domain:
Failure Information:
Failure Reason: Account locked out.
Status: 0xc0000234
Sub Status: 0x0
Process Information:
Caller Process ID: 0x1108
Caller Process Name: C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe
Network Information:
Workstation Name: EX01
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
I activated Netlogon.log on the DC. But I have no Username mpkt in the logs. Further I activated IMAP-Logging on Exchange, there I got the following entries:
#Log-type: IMAP4 Log
#Date: 2012-08-13T10:24:05.756Z
#Fields: dateTime,sessionId,seqNumber,sIp,cIp,user,duration,rqsize,rpsize,command,parameters,context
2012-08-13T10:24:05.756Z,0000000000000001,0,10.119.3.166:143,10.119.3.240:4747,,-2147483648,0,53,OpenSession,,
2012-08-13T10:24:05.927Z,0000000000000001,1,10.119.3.166:143,10.119.3.240:4747,,156,29,21,login,[email protected] *****,"R=""a1 NO LOGIN failed."";Msg=LogonFailed:LoginDenied"
2012-08-13T10:24:05.943Z,0000000000000001,2,10.119.3.166:143,10.119.3.240:4747,,0,9,89,logout,,R=ok
2012-08-13T10:24:10.935Z,0000000000000002,0,10.119.3.166:143,10.119.3.240:1857,,-2147483648,0,53,OpenSession,,
2012-08-13T10:24:10.935Z,0000000000000002,1,10.119.3.166:143,10.119.3.240:1857,,0,29,21,login,[email protected] *****,"R=""a1 NO LOGIN failed."";RpcL=-1;LdapL=-1;Msg=LogonFailed:LoginDenied"
2012-08-13T10:24:10.935Z,0000000000000002,2,10.119.3.166:143,10.119.3.240:1857,,0,9,89,logout,,R=ok
....
10.119.3.166 is our CAS. 10.119.3.240 is our software distribution server. Does this log entry mean, that the login request comes from the software distribution server? I am not quite sure how to read this IMAP-log.
How can I trace further? Is there another way to find out where the user-account tries to log in from?
Thank you in advance for your help.
Tanja
All replies (6)
Wednesday, August 15, 2012 6:09 AM ✅Answered
Hi
Is their not something on his/her machine for the users mobile phone that i causing the lockout? any scripts or apps that make a connection to the server with an outdated password.
There are a few other links you can look at:
http://smtp25.blogspot.com/2009/10/what-is-causing-my-account-to-get.html
Wednesday, August 15, 2012 2:44 PM ✅Answered
Multple places to check, you need to parse your DCs sec logs, use eventcomb. Use the steps below.
Confirm with user if password was changed.
Determine the number of devices that the user has:
a. Laptops and desktops in the domain
b. Personal laptops and desktops at home running VPN or Outlook Anywhere
c. Mobile devices, iPhone, iPad, BlackBerry, Droids etc
Ensure that the user has updated all the passwords if the password was changed. Re-enter them again regardless of whether the user said they updated it already in case of typos.
a. Desktop\Laptop: Check for services.msc and see if any services are running under his account and re-enter the password.
b. Desktop\Laptop: Check for any scheduled tasks running under his account and re-enter the password.
c. Desktop\Laptop: Check for stale stored passwords, control panel, users accounts, credential manager.
d. Mobile device: Check if wifi is connecting to the corporate wifi. If not re-enter the password.
e. Mobile device: Re-enter the password for the Exchange email account.
f. Check if wifi is connecting to the corporate wifi. If not re-enter the password.
Performed by Server Eng
Parse the Domain Controller’s security event logs for failed authentication
a. Download eventcomb
b. Run eventcombmt.exe from C:\Admin\tools\EventComb
c. In the white pane under “Select to Search/Right Click to Add” right click in the white pane box and choose Get DCs in Domain.
d. Choose Log Files to Search: Select only Security
e. Event Types: Select only Success Audit, Failure Audit, Success
f. In the Text: Box type the user name jchong
g. Scan Back: 2 days
h. Click Search, and Click Yes at the dialog prompt Error nothing selected.
i. When completed, the results are written to the C:\temp with log files for each DC. Look through each DC and determine if you can find how many devices the user is authenticating from.
Notes: Sometimes the user may have a stale terminal server session and if the user changed his password, the stale terminal server session will lock out his account due to Group Policy processing occurring with his stale session on the TS server.
Notes: IP’s do not show up for mobile devices. Typically if you see failed authentication attempts with limited info and no IP, it’s usually a mobile device.
If you cannot determine where the lockout is originating from. Have the user turn off one device at a time for 15 minutes. After the 15 mins re parse the DC logs and see if the authentication failure attempts occur. If they do, turn off the next device and repeat.
James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Tuesday, August 14, 2012 5:57 PM
Hi
There are a couple of tools available from Microsoft, probably the most useful one is LockOutStatus.exe. This app lets you put a user name in, and will show you all the domain controllers in your active directory domain.
Ref: http://www.beakersoft.co.uk/2008/02/07/where-has-that-account-been-locked-out/
Wednesday, August 15, 2012 5:57 AM
Hi Dare Devil
Thank you for your reply.
I already investigated with LockOutStatus. Unfortunately this tool did not bring me any further in this case.
As I can see from the eventlog the Caller Process Name is C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\PopImap\Microsoft.Exchange.Imap4.exe.
So I guess, that some IMAP-process on the Exchange requests authentication on the Domain Controllers. But how can I trace down on Exchange where the request is originating?
Regards,
Tanja
Friday, August 17, 2012 10:37 AM
Hi
Thank you for your help.
With all those tools and tipps I managed finally to find out, where the requests originate.
After finding out, which server starts the requests, I tried stopping some services which generate emails. Finally I found the guilty service.
Regards,
Tanja
Wednesday, May 30, 2018 9:47 AM
Hi
I know this is an old articel but can you tell me what you found please.
I'm having exactly the same problem with a couple of users.
I know it's IMAP on Exchange but don't know where it is originating.
Thanks
Farouk