I received this Audit Failure this morning 5 times.
Once at 8:20:02
Twice at 8:20:15
Twice at 8:20:27
It's referencing IIS and also a domain user and the users account domain appears to be exchange related.
I have been experiencing unusual account lockout issues with this user, which I believe we have resolved as of yesterday.
This event is new and have never seen it before and research on it at this point hasn't turned up anything specific or useful.
Can anyone shed light on this?
A couple of things I noticed that appear odd, for this user, his workstation IP is the one referenced (10.10.1.76), however, the workstation name listed is not his, its the name of my SBS 2011 DC.
Here is one of the event logs:
An account failed to log on.
Security ID: IIS APPPOOL\DefaultAppPool
Account Name: DefaultAppPool
Account Domain: IIS APPPOOL
Logon ID: 0x93428
Logon Type: 8
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: user1
Account Domain: mail.mydomain.com
Failure Reason: Unknown user name or bad password.
Sub Status: 0xc0000064
Caller Process ID: 0x1fcc
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Workstation Name: Servername
Source Network Address: 10.10.1.76
Source Port: 51409
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0