Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Exchange Problem or IIS Problem or perhaps both?

Posted on 2013-05-30
Medium Priority
Last Modified: 2013-06-17
I received this Audit Failure this morning 5 times.

Once at 8:20:02
Twice at 8:20:15
Twice at 8:20:27

It's referencing IIS and also a domain user and the users account domain appears to be exchange related.

I have been experiencing unusual account lockout issues with this user, which I believe we have resolved as of yesterday.

This event is new and have never seen it before and research on it at this point hasn't turned up anything specific or useful.

Can anyone shed light on this?

A couple of things I noticed that appear odd, for this user, his workstation IP is the one referenced (, however, the workstation name listed is not his, its the name of my SBS 2011 DC.


Here is one of the event logs:

An account failed to log on.

      Security ID:            IIS APPPOOL\DefaultAppPool
      Account Name:            DefaultAppPool
      Account Domain:            IIS APPPOOL
      Logon ID:            0x93428

Logon Type:                  8

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            user1
      Account Domain:            mail.mydomain.com

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc0000064

Process Information:
      Caller Process ID:      0x1fcc
      Caller Process Name:      C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
      Workstation Name:      Servername
      Source Network Address:
      Source Port:            51409

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
Question by:tjwo94
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2

Expert Comment

ID: 39208279
Have you tried setting a simple password for the user and seeing if the same error  comes up?  Take a look at this:


Author Comment

ID: 39208365
I have not, but I will try that. Another piece of information, the user indicated no issues logging in today, however, their Outlook 2010 is disconnected from exchange and periodically prompting for credentials.

Yesterday, we noticed the user had cached credentials for his email in the Windows 7 Credential Manager, so we removed them. This seems to have fixed his issue with the account being locked out, and at the time we reset his password as well, and his exchange was working without issue.

I'm about to head out to be onsite for troubleshooting, and I'll let you know what happens with a more simple password like 123 or something.

Let me know if this added information sparks any other idea's.


Expert Comment

ID: 39208450
hmmm well a few simple steps first before digging into IIS.

Remove his account from outlook and add it again, ask Outlook to store his Exchange password, etc. and see if that at least allows him to remain connected to Exchange
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Expert Comment

by:Jeffery Hayes
ID: 39208526
I'd start by pulling the IIS Logs.

This can be done a couple different ways but I like using Powershell to pull the logs for the user.

$oi = get-clientaccessserver | ?{$_.Name –like “*DC*”}; $oi | %{get-childitem "\\$_\c`$\iis\logfiles\w3svc1" -include *.log –recurse |?{$_.LastWriteTime –gt (get-date).AddDays(-X)} | select-string -pattern 'LinkedMasterAccount Alias'} > outfile.txt

Please note for the above script you will need to change the following values.

DC this would be used for any data-center that might be listed within the name space of the CAS servers provided your environment has multiple cas.  

Change -X to the number of day's you would like to search back for.

Linked Master Account Alias should be SamAccountName.

I'd search by pulling the IIS logs as there should be an entire for the log in attempt.

Please let me know if you have any questions on this.

Also very important the search path is the default location for the IIS logs. If this has been changed you would need to update the path to search on the CAS servers.

Author Comment

ID: 39208922
Here is an update.

Upon logging on the users machine, I noticed 3 active Outlook 2010 Windows. Two windows displayed as "needing password", and the third was connected fine. I have to assume at some point, whatever was preventing outlook from connecting, or whatever exchange needed ended up being supplied.

For arguments sake, as this machine is static, I removed "cached mode". Password was reset to something more simple, though I wouldn't say the password was too complex to begin with.

Currently I don't have any more errors showing up, though, I would expect to see them tomorrow if something were to go wrong again, or at least that seems to be the trend.

I did shutdown/restart, login/out several times without any issues with the account, passwords, or outlook. But again, I didn't yesterday either, so we'll see what tomorrow brings.

I will try to pull an IIS log using the script above. Not sure I will know what I'm looking for, but I can certainly post the results.

Author Comment

ID: 39208961
Hey  bigj8705, is the SamAccountName, just the login name of my user?

Expert Comment

by:Jeffery Hayes
ID: 39209758
LinkedMasterAccount name will work as well. Domain\username. Use the username.

Also you would be looking at two values mostly.

scWin32Status Codes = http://msdn.microsoft.com/en-us/library/ms681381.aspx 
scStatus Codes= http://support.microsoft.com/kb/943891 

For example if you see the status code 1326 for scWin32Status it would report the active sync device is causing an issue.

Author Comment

ID: 39210786
I altered the script accordingly, but it fails. This is what I entered, and what I got as a reply:

PS Z:\> $oi = get-clientaccessserver | ?{$_.Name -like "*FS1-SERVER.SERVER.LOCAL*"}; $oi | %{get-childitem "\\$_\c`$\iis\logfi
les\w3svc1" -include *.log -recurse |?{$_.LastWriteTime -gt (get-date).AddDays(-10)} | select-string -pattern 'SERVER\lstel
ling'} > outfile.txt

Get-ChildItem : Cannot find path '\\\c$\iis\logfiles\w3svc1' because it does not exist.
At line:1 char:93
+ $oi = get-clientaccessserver | ?{$_.Name -like "*FS1-SERVER.SERVER.LOCAL*"}; $oi | %{get-childitem <<<<  "\\$_\c`$\iis\logf
iles\w3svc1" -include *.log -recurse |?{$_.LastWriteTime -gt (get-date).AddDays(-10)} | select-string -pattern 'SERVER\lst
elling'} > outfile.txt
    + CategoryInfo          : ObjectNotFound: (\\\c$\iis\logfiles\w3svc1:String) [Get-ChildItem], ItemNotFoundExceptio
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

Expert Comment

by:Jeffery Hayes
ID: 39211476
Looks like the file path might be different.

To determine where your IIS log files are stored, please perform the following steps on your server.
I assume you are using IIS 7.0
1. Go to Start -> Control Panel -> Administrative Tools
2. Run Internet Information Services (IIS).
3. Find your Web site under the tree on the left.
4. Click the virtual directory, such as OWA. Then double click “Logging” on the result pane.
5. You can see the location of the log under “Directory”.
As default it is “%systemDriver%\Interpub\logs\logfiles”

Author Comment

ID: 39211598
This is the exact path I have.


Expert Comment

by:Jeffery Hayes
ID: 39212215
Sorry the environment I work is I guess one off.

I would simply open the log files then for the day in question and search by Ctrl+f and looking for the users alias.

Accepted Solution

tjwo94 earned 0 total points
ID: 39243183
Sorry for waiting so long to update, but I needed time to monitor the changes I had made.

I manually opened the IIS logs and didn't find any error for the days I was having issues.

I made a couple of changes, that for now, seem to have taken care of the issues.

1.) Removed some cached credentials on the users Win 7 machine.
2.) Removed cached mode option from outlook 2010 exchange account
3.) Adjusted the domain lockout policy to Microsoft standards.
4.) Searched the registry for all entries pertaining to the old DC and deleted them from the
     Win 7 machine.

It has been a couple of weeks now and I have yet to have any issues with this user or any others. I'm not 100% confident one or any of my attempts here are the answer, but I will continue to monitor accordingly.
Thank you both for the fantastic assistance, I really appreciate it.

Author Closing Comment

ID: 39252621
So far so good.

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question