Exchange Problem or IIS Problem or perhaps both?

I received this Audit Failure this morning 5 times.

Once at 8:20:02
Twice at 8:20:15
Twice at 8:20:27

It's referencing IIS and also a domain user and the users account domain appears to be exchange related.

I have been experiencing unusual account lockout issues with this user, which I believe we have resolved as of yesterday.

This event is new and have never seen it before and research on it at this point hasn't turned up anything specific or useful.

Can anyone shed light on this?

A couple of things I noticed that appear odd, for this user, his workstation IP is the one referenced (, however, the workstation name listed is not his, its the name of my SBS 2011 DC.


Here is one of the event logs:

An account failed to log on.

      Security ID:            IIS APPPOOL\DefaultAppPool
      Account Name:            DefaultAppPool
      Account Domain:            IIS APPPOOL
      Logon ID:            0x93428

Logon Type:                  8

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            user1
      Account Domain:  

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc0000064

Process Information:
      Caller Process ID:      0x1fcc
      Caller Process Name:      C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
      Workstation Name:      Servername
      Source Network Address:
      Source Port:            51409

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0
Who is Participating?
tjwo94Connect With a Mentor Author Commented:
Sorry for waiting so long to update, but I needed time to monitor the changes I had made.

I manually opened the IIS logs and didn't find any error for the days I was having issues.

I made a couple of changes, that for now, seem to have taken care of the issues.

1.) Removed some cached credentials on the users Win 7 machine.
2.) Removed cached mode option from outlook 2010 exchange account
3.) Adjusted the domain lockout policy to Microsoft standards.
4.) Searched the registry for all entries pertaining to the old DC and deleted them from the
     Win 7 machine.

It has been a couple of weeks now and I have yet to have any issues with this user or any others. I'm not 100% confident one or any of my attempts here are the answer, but I will continue to monitor accordingly.
Thank you both for the fantastic assistance, I really appreciate it.
Have you tried setting a simple password for the user and seeing if the same error  comes up?  Take a look at this:
tjwo94Author Commented:
I have not, but I will try that. Another piece of information, the user indicated no issues logging in today, however, their Outlook 2010 is disconnected from exchange and periodically prompting for credentials.

Yesterday, we noticed the user had cached credentials for his email in the Windows 7 Credential Manager, so we removed them. This seems to have fixed his issue with the account being locked out, and at the time we reset his password as well, and his exchange was working without issue.

I'm about to head out to be onsite for troubleshooting, and I'll let you know what happens with a more simple password like 123 or something.

Let me know if this added information sparks any other idea's.

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

hmmm well a few simple steps first before digging into IIS.

Remove his account from outlook and add it again, ask Outlook to store his Exchange password, etc. and see if that at least allows him to remain connected to Exchange
Jeffery HayesSystem Support Technician Commented:
I'd start by pulling the IIS Logs.

This can be done a couple different ways but I like using Powershell to pull the logs for the user.

$oi = get-clientaccessserver | ?{$_.Name –like “*DC*”}; $oi | %{get-childitem "\\$_\c`$\iis\logfiles\w3svc1" -include *.log –recurse |?{$_.LastWriteTime –gt (get-date).AddDays(-X)} | select-string -pattern 'LinkedMasterAccount Alias'} > outfile.txt

Please note for the above script you will need to change the following values.

DC this would be used for any data-center that might be listed within the name space of the CAS servers provided your environment has multiple cas.  

Change -X to the number of day's you would like to search back for.

Linked Master Account Alias should be SamAccountName.

I'd search by pulling the IIS logs as there should be an entire for the log in attempt.

Please let me know if you have any questions on this.

Also very important the search path is the default location for the IIS logs. If this has been changed you would need to update the path to search on the CAS servers.
tjwo94Author Commented:
Here is an update.

Upon logging on the users machine, I noticed 3 active Outlook 2010 Windows. Two windows displayed as "needing password", and the third was connected fine. I have to assume at some point, whatever was preventing outlook from connecting, or whatever exchange needed ended up being supplied.

For arguments sake, as this machine is static, I removed "cached mode". Password was reset to something more simple, though I wouldn't say the password was too complex to begin with.

Currently I don't have any more errors showing up, though, I would expect to see them tomorrow if something were to go wrong again, or at least that seems to be the trend.

I did shutdown/restart, login/out several times without any issues with the account, passwords, or outlook. But again, I didn't yesterday either, so we'll see what tomorrow brings.

I will try to pull an IIS log using the script above. Not sure I will know what I'm looking for, but I can certainly post the results.
tjwo94Author Commented:
Hey  bigj8705, is the SamAccountName, just the login name of my user?
Jeffery HayesSystem Support Technician Commented:
LinkedMasterAccount name will work as well. Domain\username. Use the username.

Also you would be looking at two values mostly.

scWin32Status Codes = 
scStatus Codes= 

For example if you see the status code 1326 for scWin32Status it would report the active sync device is causing an issue.
tjwo94Author Commented:
I altered the script accordingly, but it fails. This is what I entered, and what I got as a reply:

PS Z:\> $oi = get-clientaccessserver | ?{$_.Name -like "*FS1-SERVER.SERVER.LOCAL*"}; $oi | %{get-childitem "\\$_\c`$\iis\logfi
les\w3svc1" -include *.log -recurse |?{$_.LastWriteTime -gt (get-date).AddDays(-10)} | select-string -pattern 'SERVER\lstel
ling'} > outfile.txt

Get-ChildItem : Cannot find path '\\\c$\iis\logfiles\w3svc1' because it does not exist.
At line:1 char:93
+ $oi = get-clientaccessserver | ?{$_.Name -like "*FS1-SERVER.SERVER.LOCAL*"}; $oi | %{get-childitem <<<<  "\\$_\c`$\iis\logf
iles\w3svc1" -include *.log -recurse |?{$_.LastWriteTime -gt (get-date).AddDays(-10)} | select-string -pattern 'SERVER\lst
elling'} > outfile.txt
    + CategoryInfo          : ObjectNotFound: (\\\c$\iis\logfiles\w3svc1:String) [Get-ChildItem], ItemNotFoundExceptio
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand
Jeffery HayesSystem Support Technician Commented:
Looks like the file path might be different.

To determine where your IIS log files are stored, please perform the following steps on your server.
I assume you are using IIS 7.0
1. Go to Start -> Control Panel -> Administrative Tools
2. Run Internet Information Services (IIS).
3. Find your Web site under the tree on the left.
4. Click the virtual directory, such as OWA. Then double click “Logging” on the result pane.
5. You can see the location of the log under “Directory”.
As default it is “%systemDriver%\Interpub\logs\logfiles”
tjwo94Author Commented:
This is the exact path I have.

Jeffery HayesSystem Support Technician Commented:
Sorry the environment I work is I guess one off.

I would simply open the log files then for the day in question and search by Ctrl+f and looking for the users alias.
tjwo94Author Commented:
So far so good.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.