Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, November 2, 2018 3:03 PM
I am getting thousands of these messages a day, at random times. I have ruled out external OWA access becuase I have 2 servers in a DAG and I have allowed only one through NAT. There is no IP address, and I have reset all of the healthmailboxes. I am at a loss for what is causing this. It appears it is generated from within exchange but I don't know how to troubleshoot it.
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: COT-MAIL05$
Account Domain: XXXXXX
Logon ID: 0x3E7
Logon Type: 8
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: test
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC0000064
Process Information:
Caller Process ID: 0x1d48
Caller Process Name: C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe
Network Information:
Workstation Name: COT-MAIL05
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
All replies (4)
Friday, November 2, 2018 3:24 PM
For further clarification, these attempts are not happening on our other exchange server. This is specific to this one exchange server.
Monday, November 5, 2018 7:28 AM
Hi,
The error could be caused by that password of the machine (COT-MAIL05) is different from the password stored on the DC. This can happen by some corruptions of the local computer registry, or that the machine COT-MAIL05 has just changed its computer password. You can check the machine's PHS-AERO health by using NLTEST /SC_VERIFY:domain-name in PowerShell. If the result is SUCCESS, try to use NLTEST /SC_RESET:domain-name several times and check the results.
Additionally, the error could occur when a user logs on IIS using basic authentication method. So if basic authentication is the only option for you, please use encryption protocols like SSL to protect your network connection.
Regards,
Dawn Zhou
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].
Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.
Monday, November 5, 2018 4:45 PM
Hi,
The error could be caused by that password of the machine (COT-MAIL05) is different from the password stored on the DC. This can happen by some corruptions of the local computer registry, or that the machine COT-MAIL05 has just changed its computer password. You can check the machine's PHS-AERO health by using NLTEST /SC_VERIFY:domain-name in PowerShell. If the result is SUCCESS, try to use NLTEST /SC_RESET:domain-name several times and check the results.
Additionally, the error could occur when a user logs on IIS using basic authentication method. So if basic authentication is the only option for you, please use encryption protocols like SSL to protect your network connection.
Regards,
Dawn Zhou
I have ran both commands and got success every time. I am skeptical that it is a result of IIS because it is happening thousands of times per day, and there is no access to it from outside the network other than getting proxied from the other exchange server. If it were a computer password, would the caller process name still be C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe?
Monday, November 19, 2018 9:55 AM
Hi,
Sorry for late reply. If you tried the commands multiple times but the logs still generated, it could not be a password problem. We can turn to the logon type 8 in the log. This logon type indicates the password was sent over the network in the clear text. You can use basic authentication mode when a user logs on to IIS. Make sure you use SSL/TLS for the connection.
For your reference:
Please note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. And the changes made in the above blog is not supported officially by Microsoft.
Regards,
Dawn Zhou
Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact [email protected].
Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.