How to determine source of failed login for Remote Web Workplace

I've had a lot of failed login lately via RWW on our SBS 2008 server. I find these in the Event Security log under event ID 4771 and I have a task created to send me a message when failures occur.

If someone on the local domain fails, the event shows a Client Address as one of the LAN workstations. However, for some questionable failures, the IP address is ::1. Clearly this tells me nothing. Is there a way to see the actual IP address from where this attempt is originating?
LVL 1
jmarkfoleyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
You'll have to look at the IIS logs. The RWA website uses forms based authentication, so a user fills out a form and IIS attempts to authenticate against AD on behalf of the user so the IP is the local loopback address. That behavior is expected.

That means finding the source is a matter of digging through the IIS web logs though for the time of the authentication failure. Or use a log parsing tool.

I'll tell you now that RWA is on the net. Random IP scanners will find it and then attempt to exploit old (parched) IIS bugs to breach. Failed authents on RWA is unavoidable if you are offering remote access at all.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jmarkfoleyAuthor Commented:
Thanks, I'll check out the logfiles.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.