Exchange Problem or IIS Problem or perhaps both?

Posted on 2013-05-30
Last Modified: 2013-06-17
I received this Audit Failure this morning 5 times.

Once at 8:20:02
Twice at 8:20:15
Twice at 8:20:27

It's referencing IIS and also a domain user and the users account domain appears to be exchange related.

I have been experiencing unusual account lockout issues with this user, which I believe we have resolved as of yesterday.

This event is new and have never seen it before and research on it at this point hasn't turned up anything specific or useful.

Can anyone shed light on this?

A couple of things I noticed that appear odd, for this user, his workstation IP is the one referenced (, however, the workstation name listed is not his, its the name of my SBS 2011 DC.


Here is one of the event logs:

An account failed to log on.

      Security ID:            IIS APPPOOL\DefaultAppPool
      Account Name:            DefaultAppPool
      Account Domain:            IIS APPPOOL
      Logon ID:            0x93428

Logon Type:                  8

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            user1
      Account Domain:  

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc0000064

Process Information:
      Caller Process ID:      0x1fcc
      Caller Process Name:      C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
      Workstation Name:      Servername
      Source Network Address:
      Source Port:            51409

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
Question by:tjwo94
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2

Expert Comment

ID: 39208279
Have you tried setting a simple password for the user and seeing if the same error  comes up?  Take a look at this:

Author Comment

ID: 39208365
I have not, but I will try that. Another piece of information, the user indicated no issues logging in today, however, their Outlook 2010 is disconnected from exchange and periodically prompting for credentials.

Yesterday, we noticed the user had cached credentials for his email in the Windows 7 Credential Manager, so we removed them. This seems to have fixed his issue with the account being locked out, and at the time we reset his password as well, and his exchange was working without issue.

I'm about to head out to be onsite for troubleshooting, and I'll let you know what happens with a more simple password like 123 or something.

Let me know if this added information sparks any other idea's.


Expert Comment

ID: 39208450
hmmm well a few simple steps first before digging into IIS.

Remove his account from outlook and add it again, ask Outlook to store his Exchange password, etc. and see if that at least allows him to remain connected to Exchange
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)


Expert Comment

by:Jeffery Hayes
ID: 39208526
I'd start by pulling the IIS Logs.

This can be done a couple different ways but I like using Powershell to pull the logs for the user.

$oi = get-clientaccessserver | ?{$_.Name –like “*DC*”}; $oi | %{get-childitem "\\$_\c`$\iis\logfiles\w3svc1" -include *.log –recurse |?{$_.LastWriteTime –gt (get-date).AddDays(-X)} | select-string -pattern 'LinkedMasterAccount Alias'} > outfile.txt

Please note for the above script you will need to change the following values.

DC this would be used for any data-center that might be listed within the name space of the CAS servers provided your environment has multiple cas.  

Change -X to the number of day's you would like to search back for.

Linked Master Account Alias should be SamAccountName.

I'd search by pulling the IIS logs as there should be an entire for the log in attempt.

Please let me know if you have any questions on this.

Also very important the search path is the default location for the IIS logs. If this has been changed you would need to update the path to search on the CAS servers.

Author Comment

ID: 39208922
Here is an update.

Upon logging on the users machine, I noticed 3 active Outlook 2010 Windows. Two windows displayed as "needing password", and the third was connected fine. I have to assume at some point, whatever was preventing outlook from connecting, or whatever exchange needed ended up being supplied.

For arguments sake, as this machine is static, I removed "cached mode". Password was reset to something more simple, though I wouldn't say the password was too complex to begin with.

Currently I don't have any more errors showing up, though, I would expect to see them tomorrow if something were to go wrong again, or at least that seems to be the trend.

I did shutdown/restart, login/out several times without any issues with the account, passwords, or outlook. But again, I didn't yesterday either, so we'll see what tomorrow brings.

I will try to pull an IIS log using the script above. Not sure I will know what I'm looking for, but I can certainly post the results.

Author Comment

ID: 39208961
Hey  bigj8705, is the SamAccountName, just the login name of my user?

Expert Comment

by:Jeffery Hayes
ID: 39209758
LinkedMasterAccount name will work as well. Domain\username. Use the username.

Also you would be looking at two values mostly.

scWin32Status Codes = 
scStatus Codes= 

For example if you see the status code 1326 for scWin32Status it would report the active sync device is causing an issue.

Author Comment

ID: 39210786
I altered the script accordingly, but it fails. This is what I entered, and what I got as a reply:

PS Z:\> $oi = get-clientaccessserver | ?{$_.Name -like "*FS1-SERVER.SERVER.LOCAL*"}; $oi | %{get-childitem "\\$_\c`$\iis\logfi
les\w3svc1" -include *.log -recurse |?{$_.LastWriteTime -gt (get-date).AddDays(-10)} | select-string -pattern 'SERVER\lstel
ling'} > outfile.txt

Get-ChildItem : Cannot find path '\\\c$\iis\logfiles\w3svc1' because it does not exist.
At line:1 char:93
+ $oi = get-clientaccessserver | ?{$_.Name -like "*FS1-SERVER.SERVER.LOCAL*"}; $oi | %{get-childitem <<<<  "\\$_\c`$\iis\logf
iles\w3svc1" -include *.log -recurse |?{$_.LastWriteTime -gt (get-date).AddDays(-10)} | select-string -pattern 'SERVER\lst
elling'} > outfile.txt
    + CategoryInfo          : ObjectNotFound: (\\\c$\iis\logfiles\w3svc1:String) [Get-ChildItem], ItemNotFoundExceptio
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

Expert Comment

by:Jeffery Hayes
ID: 39211476
Looks like the file path might be different.

To determine where your IIS log files are stored, please perform the following steps on your server.
I assume you are using IIS 7.0
1. Go to Start -> Control Panel -> Administrative Tools
2. Run Internet Information Services (IIS).
3. Find your Web site under the tree on the left.
4. Click the virtual directory, such as OWA. Then double click “Logging” on the result pane.
5. You can see the location of the log under “Directory”.
As default it is “%systemDriver%\Interpub\logs\logfiles”

Author Comment

ID: 39211598
This is the exact path I have.


Expert Comment

by:Jeffery Hayes
ID: 39212215
Sorry the environment I work is I guess one off.

I would simply open the log files then for the day in question and search by Ctrl+f and looking for the users alias.

Accepted Solution

tjwo94 earned 0 total points
ID: 39243183
Sorry for waiting so long to update, but I needed time to monitor the changes I had made.

I manually opened the IIS logs and didn't find any error for the days I was having issues.

I made a couple of changes, that for now, seem to have taken care of the issues.

1.) Removed some cached credentials on the users Win 7 machine.
2.) Removed cached mode option from outlook 2010 exchange account
3.) Adjusted the domain lockout policy to Microsoft standards.
4.) Searched the registry for all entries pertaining to the old DC and deleted them from the
     Win 7 machine.

It has been a couple of weeks now and I have yet to have any issues with this user or any others. I'm not 100% confident one or any of my attempts here are the answer, but I will continue to monitor accordingly.
Thank you both for the fantastic assistance, I really appreciate it.

Author Closing Comment

ID: 39252621
So far so good.

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question