We have been experiencing issues with a single user constantly getting locked out in AD due to too many invalid login attempts.
When using the LockoutStatusTool we keep seeing the source of the users lockout originating from the Exchange 2013 Server. So I look at the IIS logs and search for the user, and find the following basically every 2-4 minutes.
2015-07-16 00:03:03 10.122.4.123 OPTIONS /Microsoft-Server-ActiveSync/default.eas Cmd=OPTIONS&User=CONTOSO%2BEvans&DeviceId=androidc653041497&DeviceType=Android&CorrelationID=<empty>;&cafeReqId=c3f5fe61-f6c2-4d79-b9db-7074a261dc9b; 443 contoso/bevans 18.104.22.168 Android/0.3 - 401 1 1326 327
To me, this is stating that an android device is trying to connect with invalid credentials... seeing that its a 401 error code.
The user has turned off his Samsung device for 4 hours and we continue to see these same logs and the users continues to get locked out every few mins.
I have tried searching for the specific DeviceID via powershell on the exchange server, to see if its even listed or possibly another employees device, but its not found.
Ive tried turning off ActiveSync access on the mailbox, this also doesn't solve the issue...
The IP show in the logs doesn't change (22.214.171.124) and when doing a reverse lookup, it seems to be some Comcast ISP device. Not one of ours nor our ISP.
Its like theres a Android device thats constantly trying to connect with his invalid/expired creds. Can we stop it somehow?
Im out of ideas, does anyone know what else I could try? Open to suggestions...
BTW the employee states that he has no other mobile devices as all. The Samsung that we turned off for 4 hours was the only device.