Major Account Lockout Issue | Android - Exchange Related

We have been experiencing issues with a single user constantly getting locked out in AD due to too many invalid login attempts.

User: CONTOSO\BEvans

When using the LockoutStatusTool we keep seeing the source of the users lockout originating from the Exchange 2013 Server. So I look at the IIS logs and search for the user, and find the following basically every 2-4 minutes.

2015-07-16 00:03:03 10.122.4.123 OPTIONS /Microsoft-Server-ActiveSync/default.eas Cmd=OPTIONS&User=CONTOSO%2BEvans&DeviceId=androidc653041497&DeviceType=Android&CorrelationID=<empty>;&cafeReqId=c3f5fe61-f6c2-4d79-b9db-7074a261dc9b; 443 contoso/bevans 24.3.212.236 Android/0.3 - 401 1 1326 327

To me, this is stating that an android device is trying to connect with invalid credentials... seeing that its a 401 error code.

The user has turned off his Samsung device for 4 hours and we continue to see these same logs and the users continues to get locked out every few mins.

I have tried searching for the specific DeviceID via powershell on the exchange server, to see if its even listed or possibly another employees device, but its not found.

Ive tried turning off ActiveSync access on the mailbox, this also doesn't solve the issue...

The IP show in the logs doesn't change (24.3.212.236) and when doing a reverse lookup, it seems to be some Comcast ISP device. Not one of ours nor our ISP.

Its like theres a Android device thats constantly trying to connect with his invalid/expired creds. Can we stop it somehow?

Im out of ideas, does anyone know what else I could try? Open to suggestions...

BTW the employee states that he has no other mobile devices as all. The Samsung that we turned off for 4 hours was the only device.

Thanks.
Christian HansAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steven CarnahanNetwork ManagerCommented:
Is the Samsung a recent purchase? Perhaps due to a lost/stolen device?
0
Christian HansAuthor Commented:
Apparently the device hasn't changed in many months, this issue started happening about a week ago. We have since not just shut off the device to test, but also removed the email accounts associated with the company.
0
Wayne88Commented:
Is it Exchange 2010 or newer?  You can use the Allow/Block/Quarantine feature:

Controlling Exchange ActiveSync device access using the Allow/Block/Quarantine list
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Steven CarnahanNetwork ManagerCommented:
I did some checking and that address, 24.3.212.236 , does come back as Comcast out of Saint Clairsville, Ohio.
0
Christian HansAuthor Commented:
Its Exchange 2013 CU6 (can't go higher until Cisco UM has been updated).

I'm new a few weeks in, so imagine my shock to see that we don't have MDM nor quarantining in place... (I know!)

I guess Im glad its not affecting more than one user.
0
Wayne88Commented:
Securing Exchange Data from Unapproved Mobile Devices (or how to block a phone or service from taking data out of your Exchange Server)

http://blogs.technet.com/b/exchange/archive/2008/09/05/3406212.aspx
0
Steven CarnahanNetwork ManagerCommented:
If the connection is coming in through a firewall or router you could put in a rule to block traffic from that address. That is a temporary fix until the device acquires a new IP address but would tell you if it is an actual device and if it is a valid user they will complain. :)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Christian HansAuthor Commented:
Im going to try to change the users AD Account Login to something else. I realize this will probably create a new profile on the users computer and Ill have to copy the old profile to the new one, but at least the account won't get locked out since the domain\username will be different... I think...
0
Christian HansAuthor Commented:
We ended up changing the users credentials and account name...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.