Major Account Lockout Issue | Android - Exchange Related
We have been experiencing issues with a single user constantly getting locked out in AD due to too many invalid login attempts.
User: CONTOSO\BEvans
When using the LockoutStatusTool we keep seeing the source of the users lockout originating from the Exchange 2013 Server. So I look at the IIS logs and search for the user, and find the following basically every 2-4 minutes.
2015-07-16 00:03:03 10.122.4.123 OPTIONS /Microsoft-Server-ActiveSy
To me, this is stating that an android device is trying to connect with invalid credentials... seeing that its a 401 error code.
The user has turned off his Samsung device for 4 hours and we continue to see these same logs and the users continues to get locked out every few mins.
I have tried searching for the specific DeviceID via powershell on the exchange server, to see if its even listed or possibly another employees device, but its not found.
Ive tried turning off ActiveSync access on the mailbox, this also doesn't solve the issue...
The IP show in the logs doesn't change (24.3.212.236) and when doing a reverse lookup, it seems to be some Comcast ISP device. Not one of ours nor our ISP.
Its like theres a Android device thats constantly trying to connect with his invalid/expired creds. Can we stop it somehow?
Im out of ideas, does anyone know what else I could try? Open to suggestions...
BTW the employee states that he has no other mobile devices as all. The Samsung that we turned off for 4 hours was the only device.
Thanks.
User: CONTOSO\BEvans
When using the LockoutStatusTool we keep seeing the source of the users lockout originating from the Exchange 2013 Server. So I look at the IIS logs and search for the user, and find the following basically every 2-4 minutes.
2015-07-16 00:03:03 10.122.4.123 OPTIONS /Microsoft-Server-ActiveSy
To me, this is stating that an android device is trying to connect with invalid credentials... seeing that its a 401 error code.
The user has turned off his Samsung device for 4 hours and we continue to see these same logs and the users continues to get locked out every few mins.
I have tried searching for the specific DeviceID via powershell on the exchange server, to see if its even listed or possibly another employees device, but its not found.
Ive tried turning off ActiveSync access on the mailbox, this also doesn't solve the issue...
The IP show in the logs doesn't change (24.3.212.236) and when doing a reverse lookup, it seems to be some Comcast ISP device. Not one of ours nor our ISP.
Its like theres a Android device thats constantly trying to connect with his invalid/expired creds. Can we stop it somehow?
Im out of ideas, does anyone know what else I could try? Open to suggestions...
BTW the employee states that he has no other mobile devices as all. The Samsung that we turned off for 4 hours was the only device.
Thanks.
Steven Carnahan
Is the Samsung a recent purchase? Perhaps due to a lost/stolen device?
ASKER
Apparently the device hasn't changed in many months, this issue started happening about a week ago. We have since not just shut off the device to test, but also removed the email accounts associated with the company.
Is it Exchange 2010 or newer? You can use the Allow/Block/Quarantine feature:
Controlling Exchange ActiveSync device access using the Allow/Block/Quarantine list
Controlling Exchange ActiveSync device access using the Allow/Block/Quarantine list
I did some checking and that address, 24.3.212.236 , does come back as Comcast out of Saint Clairsville, Ohio.
ASKER
Its Exchange 2013 CU6 (can't go higher until Cisco UM has been updated).
I'm new a few weeks in, so imagine my shock to see that we don't have MDM nor quarantining in place... (I know!)
I guess Im glad its not affecting more than one user.
I'm new a few weeks in, so imagine my shock to see that we don't have MDM nor quarantining in place... (I know!)
I guess Im glad its not affecting more than one user.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Im going to try to change the users AD Account Login to something else. I realize this will probably create a new profile on the users computer and Ill have to copy the old profile to the new one, but at least the account won't get locked out since the domain\username will be different... I think...
ASKER
We ended up changing the users credentials and account name...