Major Account Lockout Issue | Android - Exchange Related

We have been experiencing issues with a single user constantly getting locked out in AD due to too many invalid login attempts.

User: CONTOSO\BEvans

When using the LockoutStatusTool we keep seeing the source of the users lockout originating from the Exchange 2013 Server. So I look at the IIS logs and search for the user, and find the following basically every 2-4 minutes.

2015-07-16 00:03:03 10.122.4.123 OPTIONS /Microsoft-Server-ActiveSync/default.eas Cmd=OPTIONS&User=CONTOSO%2BEvans&DeviceId=androidc653041497&DeviceType=Android&CorrelationID=<empty>;&cafeReqId=c3f5fe61-f6c2-4d79-b9db-7074a261dc9b; 443 contoso/bevans 24.3.212.236 Android/0.3 - 401 1 1326 327

To me, this is stating that an android device is trying to connect with invalid credentials... seeing that its a 401 error code.

The user has turned off his Samsung device for 4 hours and we continue to see these same logs and the users continues to get locked out every few mins.

I have tried searching for the specific DeviceID via powershell on the exchange server, to see if its even listed or possibly another employees device, but its not found.

Ive tried turning off ActiveSync access on the mailbox, this also doesn't solve the issue...

The IP show in the logs doesn't change (24.3.212.236) and when doing a reverse lookup, it seems to be some Comcast ISP device. Not one of ours nor our ISP.

Its like theres a Android device thats constantly trying to connect with his invalid/expired creds. Can we stop it somehow?

Im out of ideas, does anyone know what else I could try? Open to suggestions...

BTW the employee states that he has no other mobile devices as all. The Samsung that we turned off for 4 hours was the only device.

Thanks.
Christian HansUndecided... Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steven CarnahanNetwork ManagerCommented:
Is the Samsung a recent purchase? Perhaps due to a lost/stolen device?
Christian HansUndecided... Author Commented:
Apparently the device hasn't changed in many months, this issue started happening about a week ago. We have since not just shut off the device to test, but also removed the email accounts associated with the company.
Wayne88Commented:
Is it Exchange 2010 or newer?  You can use the Allow/Block/Quarantine feature:

Controlling Exchange ActiveSync device access using the Allow/Block/Quarantine list
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Steven CarnahanNetwork ManagerCommented:
I did some checking and that address, 24.3.212.236 , does come back as Comcast out of Saint Clairsville, Ohio.
Christian HansUndecided... Author Commented:
Its Exchange 2013 CU6 (can't go higher until Cisco UM has been updated).

I'm new a few weeks in, so imagine my shock to see that we don't have MDM nor quarantining in place... (I know!)

I guess Im glad its not affecting more than one user.
Wayne88Commented:
Securing Exchange Data from Unapproved Mobile Devices (or how to block a phone or service from taking data out of your Exchange Server)

http://blogs.technet.com/b/exchange/archive/2008/09/05/3406212.aspx
Steven CarnahanNetwork ManagerCommented:
If the connection is coming in through a firewall or router you could put in a rule to block traffic from that address. That is a temporary fix until the device acquires a new IP address but would tell you if it is an actual device and if it is a valid user they will complain. :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Christian HansUndecided... Author Commented:
Im going to try to change the users AD Account Login to something else. I realize this will probably create a new profile on the users computer and Ill have to copy the old profile to the new one, but at least the account won't get locked out since the domain\username will be different... I think...
Christian HansUndecided... Author Commented:
We ended up changing the users credentials and account name...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.