Solved

Exchange Problem or IIS Problem or perhaps both?

Posted on 2013-05-30
13
1,089 Views
Last Modified: 2013-06-17
I received this Audit Failure this morning 5 times.

Once at 8:20:02
Twice at 8:20:15
Twice at 8:20:27

It's referencing IIS and also a domain user and the users account domain appears to be exchange related.

I have been experiencing unusual account lockout issues with this user, which I believe we have resolved as of yesterday.

This event is new and have never seen it before and research on it at this point hasn't turned up anything specific or useful.

Can anyone shed light on this?

A couple of things I noticed that appear odd, for this user, his workstation IP is the one referenced (10.10.1.76), however, the workstation name listed is not his, its the name of my SBS 2011 DC.

Thanks!

Here is one of the event logs:

An account failed to log on.

Subject:
      Security ID:            IIS APPPOOL\DefaultAppPool
      Account Name:            DefaultAppPool
      Account Domain:            IIS APPPOOL
      Logon ID:            0x93428

Logon Type:                  8

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            user1
      Account Domain:            mail.mydomain.com

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc0000064

Process Information:
      Caller Process ID:      0x1fcc
      Caller Process Name:      C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
      Workstation Name:      Servername
      Source Network Address:      10.10.1.76
      Source Port:            51409

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
0
Comment
Question by:tjwo94
  • 7
  • 4
  • 2
13 Comments
 
LVL 8

Expert Comment

by:PaulD77
Comment Utility
Have you tried setting a simple password for the user and seeing if the same error  comes up?  Take a look at this:

http://stackoverflow.com/questions/9785641/iis-windows-authentication-rejecting-some-users
0
 

Author Comment

by:tjwo94
Comment Utility
I have not, but I will try that. Another piece of information, the user indicated no issues logging in today, however, their Outlook 2010 is disconnected from exchange and periodically prompting for credentials.

Yesterday, we noticed the user had cached credentials for his email in the Windows 7 Credential Manager, so we removed them. This seems to have fixed his issue with the account being locked out, and at the time we reset his password as well, and his exchange was working without issue.

I'm about to head out to be onsite for troubleshooting, and I'll let you know what happens with a more simple password like 123 or something.

Let me know if this added information sparks any other idea's.

Thanks!
0
 
LVL 8

Expert Comment

by:PaulD77
Comment Utility
hmmm well a few simple steps first before digging into IIS.

Remove his account from outlook and add it again, ask Outlook to store his Exchange password, etc. and see if that at least allows him to remain connected to Exchange
0
 
LVL 4

Expert Comment

by:Jeffery Hayes
Comment Utility
I'd start by pulling the IIS Logs.

This can be done a couple different ways but I like using Powershell to pull the logs for the user.


$oi = get-clientaccessserver | ?{$_.Name –like “*DC*”}; $oi | %{get-childitem "\\$_\c`$\iis\logfiles\w3svc1" -include *.log –recurse |?{$_.LastWriteTime –gt (get-date).AddDays(-X)} | select-string -pattern 'LinkedMasterAccount Alias'} > outfile.txt


Please note for the above script you will need to change the following values.

DC this would be used for any data-center that might be listed within the name space of the CAS servers provided your environment has multiple cas.  

Change -X to the number of day's you would like to search back for.

Linked Master Account Alias should be SamAccountName.

I'd search by pulling the IIS logs as there should be an entire for the log in attempt.


Please let me know if you have any questions on this.

Also very important the search path is the default location for the IIS logs. If this has been changed you would need to update the path to search on the CAS servers.
0
 

Author Comment

by:tjwo94
Comment Utility
Here is an update.

Upon logging on the users machine, I noticed 3 active Outlook 2010 Windows. Two windows displayed as "needing password", and the third was connected fine. I have to assume at some point, whatever was preventing outlook from connecting, or whatever exchange needed ended up being supplied.

For arguments sake, as this machine is static, I removed "cached mode". Password was reset to something more simple, though I wouldn't say the password was too complex to begin with.

Currently I don't have any more errors showing up, though, I would expect to see them tomorrow if something were to go wrong again, or at least that seems to be the trend.

I did shutdown/restart, login/out several times without any issues with the account, passwords, or outlook. But again, I didn't yesterday either, so we'll see what tomorrow brings.

I will try to pull an IIS log using the script above. Not sure I will know what I'm looking for, but I can certainly post the results.
0
 

Author Comment

by:tjwo94
Comment Utility
Hey  bigj8705, is the SamAccountName, just the login name of my user?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 4

Expert Comment

by:Jeffery Hayes
Comment Utility
LinkedMasterAccount name will work as well. Domain\username. Use the username.

Also you would be looking at two values mostly.

scWin32Status Codes = http://msdn.microsoft.com/en-us/library/ms681381.aspx
scStatus Codes= http://support.microsoft.com/kb/943891

For example if you see the status code 1326 for scWin32Status it would report the active sync device is causing an issue.
 
ERROR_LOGON_FAILURE 1326 (0x52E)
0
 

Author Comment

by:tjwo94
Comment Utility
I altered the script accordingly, but it fails. This is what I entered, and what I got as a reply:


PS Z:\> $oi = get-clientaccessserver | ?{$_.Name -like "*FS1-SERVER.SERVER.LOCAL*"}; $oi | %{get-childitem "\\$_\c`$\iis\logfi
les\w3svc1" -include *.log -recurse |?{$_.LastWriteTime -gt (get-date).AddDays(-10)} | select-string -pattern 'SERVER\lstel
ling'} > outfile.txt

Get-ChildItem : Cannot find path '\\\c$\iis\logfiles\w3svc1' because it does not exist.
At line:1 char:93
+ $oi = get-clientaccessserver | ?{$_.Name -like "*FS1-SERVER.SERVER.LOCAL*"}; $oi | %{get-childitem <<<<  "\\$_\c`$\iis\logf
iles\w3svc1" -include *.log -recurse |?{$_.LastWriteTime -gt (get-date).AddDays(-10)} | select-string -pattern 'SERVER\lst
elling'} > outfile.txt
    + CategoryInfo          : ObjectNotFound: (\\\c$\iis\logfiles\w3svc1:String) [Get-ChildItem], ItemNotFoundExceptio
   n
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
0
 
LVL 4

Expert Comment

by:Jeffery Hayes
Comment Utility
Looks like the file path might be different.

To determine where your IIS log files are stored, please perform the following steps on your server.
I assume you are using IIS 7.0
1. Go to Start -> Control Panel -> Administrative Tools
2. Run Internet Information Services (IIS).
3. Find your Web site under the tree on the left.
4. Click the virtual directory, such as OWA. Then double click “Logging” on the result pane.
5. You can see the location of the log under “Directory”.
As default it is “%systemDriver%\Interpub\logs\logfiles”
0
 

Author Comment

by:tjwo94
Comment Utility
This is the exact path I have.


C:\inetpub\logs\LogFiles\
0
 
LVL 4

Expert Comment

by:Jeffery Hayes
Comment Utility
Sorry the environment I work is I guess one off.

I would simply open the log files then for the day in question and search by Ctrl+f and looking for the users alias.
0
 

Accepted Solution

by:
tjwo94 earned 0 total points
Comment Utility
Sorry for waiting so long to update, but I needed time to monitor the changes I had made.

I manually opened the IIS logs and didn't find any error for the days I was having issues.

I made a couple of changes, that for now, seem to have taken care of the issues.

1.) Removed some cached credentials on the users Win 7 machine.
2.) Removed cached mode option from outlook 2010 exchange account
3.) Adjusted the domain lockout policy to Microsoft standards.
4.) Searched the registry for all entries pertaining to the old DC and deleted them from the
     Win 7 machine.

It has been a couple of weeks now and I have yet to have any issues with this user or any others. I'm not 100% confident one or any of my attempts here are the answer, but I will continue to monitor accordingly.
Thank you both for the fantastic assistance, I really appreciate it.
0
 

Author Closing Comment

by:tjwo94
Comment Utility
So far so good.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SSL Certificate Renewal with Exchange 2010 9 27
Import Cert issue 15 40
Problem with autodiscover SBS 2011 4 41
Windows 10 VPN? 6 41
Resolve DNS query failed errors for Exchange
Easy CSR creation in Exchange 2007,2010 and 2013
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now