Solved

Exchange Problem or IIS Problem or perhaps both?

Posted on 2013-05-30
13
1,132 Views
Last Modified: 2013-06-17
I received this Audit Failure this morning 5 times.

Once at 8:20:02
Twice at 8:20:15
Twice at 8:20:27

It's referencing IIS and also a domain user and the users account domain appears to be exchange related.

I have been experiencing unusual account lockout issues with this user, which I believe we have resolved as of yesterday.

This event is new and have never seen it before and research on it at this point hasn't turned up anything specific or useful.

Can anyone shed light on this?

A couple of things I noticed that appear odd, for this user, his workstation IP is the one referenced (10.10.1.76), however, the workstation name listed is not his, its the name of my SBS 2011 DC.

Thanks!

Here is one of the event logs:

An account failed to log on.

Subject:
      Security ID:            IIS APPPOOL\DefaultAppPool
      Account Name:            DefaultAppPool
      Account Domain:            IIS APPPOOL
      Logon ID:            0x93428

Logon Type:                  8

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            user1
      Account Domain:            mail.mydomain.com

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc0000064

Process Information:
      Caller Process ID:      0x1fcc
      Caller Process Name:      C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
      Workstation Name:      Servername
      Source Network Address:      10.10.1.76
      Source Port:            51409

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
0
Comment
Question by:tjwo94
  • 7
  • 4
  • 2
13 Comments
 
LVL 8

Expert Comment

by:PaulD77
ID: 39208279
Have you tried setting a simple password for the user and seeing if the same error  comes up?  Take a look at this:

http://stackoverflow.com/questions/9785641/iis-windows-authentication-rejecting-some-users
0
 

Author Comment

by:tjwo94
ID: 39208365
I have not, but I will try that. Another piece of information, the user indicated no issues logging in today, however, their Outlook 2010 is disconnected from exchange and periodically prompting for credentials.

Yesterday, we noticed the user had cached credentials for his email in the Windows 7 Credential Manager, so we removed them. This seems to have fixed his issue with the account being locked out, and at the time we reset his password as well, and his exchange was working without issue.

I'm about to head out to be onsite for troubleshooting, and I'll let you know what happens with a more simple password like 123 or something.

Let me know if this added information sparks any other idea's.

Thanks!
0
 
LVL 8

Expert Comment

by:PaulD77
ID: 39208450
hmmm well a few simple steps first before digging into IIS.

Remove his account from outlook and add it again, ask Outlook to store his Exchange password, etc. and see if that at least allows him to remain connected to Exchange
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 4

Expert Comment

by:Jeffery Hayes
ID: 39208526
I'd start by pulling the IIS Logs.

This can be done a couple different ways but I like using Powershell to pull the logs for the user.


$oi = get-clientaccessserver | ?{$_.Name –like “*DC*”}; $oi | %{get-childitem "\\$_\c`$\iis\logfiles\w3svc1" -include *.log –recurse |?{$_.LastWriteTime –gt (get-date).AddDays(-X)} | select-string -pattern 'LinkedMasterAccount Alias'} > outfile.txt


Please note for the above script you will need to change the following values.

DC this would be used for any data-center that might be listed within the name space of the CAS servers provided your environment has multiple cas.  

Change -X to the number of day's you would like to search back for.

Linked Master Account Alias should be SamAccountName.

I'd search by pulling the IIS logs as there should be an entire for the log in attempt.


Please let me know if you have any questions on this.

Also very important the search path is the default location for the IIS logs. If this has been changed you would need to update the path to search on the CAS servers.
0
 

Author Comment

by:tjwo94
ID: 39208922
Here is an update.

Upon logging on the users machine, I noticed 3 active Outlook 2010 Windows. Two windows displayed as "needing password", and the third was connected fine. I have to assume at some point, whatever was preventing outlook from connecting, or whatever exchange needed ended up being supplied.

For arguments sake, as this machine is static, I removed "cached mode". Password was reset to something more simple, though I wouldn't say the password was too complex to begin with.

Currently I don't have any more errors showing up, though, I would expect to see them tomorrow if something were to go wrong again, or at least that seems to be the trend.

I did shutdown/restart, login/out several times without any issues with the account, passwords, or outlook. But again, I didn't yesterday either, so we'll see what tomorrow brings.

I will try to pull an IIS log using the script above. Not sure I will know what I'm looking for, but I can certainly post the results.
0
 

Author Comment

by:tjwo94
ID: 39208961
Hey  bigj8705, is the SamAccountName, just the login name of my user?
0
 
LVL 4

Expert Comment

by:Jeffery Hayes
ID: 39209758
LinkedMasterAccount name will work as well. Domain\username. Use the username.

Also you would be looking at two values mostly.

scWin32Status Codes = http://msdn.microsoft.com/en-us/library/ms681381.aspx 
scStatus Codes= http://support.microsoft.com/kb/943891 

For example if you see the status code 1326 for scWin32Status it would report the active sync device is causing an issue.
 
ERROR_LOGON_FAILURE 1326 (0x52E)
0
 

Author Comment

by:tjwo94
ID: 39210786
I altered the script accordingly, but it fails. This is what I entered, and what I got as a reply:


PS Z:\> $oi = get-clientaccessserver | ?{$_.Name -like "*FS1-SERVER.SERVER.LOCAL*"}; $oi | %{get-childitem "\\$_\c`$\iis\logfi
les\w3svc1" -include *.log -recurse |?{$_.LastWriteTime -gt (get-date).AddDays(-10)} | select-string -pattern 'SERVER\lstel
ling'} > outfile.txt

Get-ChildItem : Cannot find path '\\\c$\iis\logfiles\w3svc1' because it does not exist.
At line:1 char:93
+ $oi = get-clientaccessserver | ?{$_.Name -like "*FS1-SERVER.SERVER.LOCAL*"}; $oi | %{get-childitem <<<<  "\\$_\c`$\iis\logf
iles\w3svc1" -include *.log -recurse |?{$_.LastWriteTime -gt (get-date).AddDays(-10)} | select-string -pattern 'SERVER\lst
elling'} > outfile.txt
    + CategoryInfo          : ObjectNotFound: (\\\c$\iis\logfiles\w3svc1:String) [Get-ChildItem], ItemNotFoundExceptio
   n
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
0
 
LVL 4

Expert Comment

by:Jeffery Hayes
ID: 39211476
Looks like the file path might be different.

To determine where your IIS log files are stored, please perform the following steps on your server.
I assume you are using IIS 7.0
1. Go to Start -> Control Panel -> Administrative Tools
2. Run Internet Information Services (IIS).
3. Find your Web site under the tree on the left.
4. Click the virtual directory, such as OWA. Then double click “Logging” on the result pane.
5. You can see the location of the log under “Directory”.
As default it is “%systemDriver%\Interpub\logs\logfiles”
0
 

Author Comment

by:tjwo94
ID: 39211598
This is the exact path I have.


C:\inetpub\logs\LogFiles\
0
 
LVL 4

Expert Comment

by:Jeffery Hayes
ID: 39212215
Sorry the environment I work is I guess one off.

I would simply open the log files then for the day in question and search by Ctrl+f and looking for the users alias.
0
 

Accepted Solution

by:
tjwo94 earned 0 total points
ID: 39243183
Sorry for waiting so long to update, but I needed time to monitor the changes I had made.

I manually opened the IIS logs and didn't find any error for the days I was having issues.

I made a couple of changes, that for now, seem to have taken care of the issues.

1.) Removed some cached credentials on the users Win 7 machine.
2.) Removed cached mode option from outlook 2010 exchange account
3.) Adjusted the domain lockout policy to Microsoft standards.
4.) Searched the registry for all entries pertaining to the old DC and deleted them from the
     Win 7 machine.

It has been a couple of weeks now and I have yet to have any issues with this user or any others. I'm not 100% confident one or any of my attempts here are the answer, but I will continue to monitor accordingly.
Thank you both for the fantastic assistance, I really appreciate it.
0
 

Author Closing Comment

by:tjwo94
ID: 39252621
So far so good.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question