asked on

Hundreds of failed logon attempts from itself 4625

I am getting Hundreds of these cannot figure out why.

Subject:
      Security ID:            SYSTEM
      Account Name:            ExchangeServerName$
      Account Domain:            Domainname
      Logon ID:            0x3e7

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:
      Account Domain:

Failure Information:
      Failure Reason:            The specified user account has expired.
      Status:                  0xc0000193
      Sub Status:            0xc0000193

Process Information:
      Caller Process ID:      0x1774
      Caller Process Name:      C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
      Workstation Name:      ExchangeServerName
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            Authz
      Authentication Package:      Kerberos
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

Dr. Klahn

From here it looks like there may be somebody / something trying an exploit through IIS / the web server.

Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe

"An Internet Information Services (IIS) worker process is a windows process (w3wp.exe) which runs Web applications, and is responsible for handling requests sent to a Web Server for a specific application pool. It is the worker process for IIS."

Diagnostic: If the requests are coming fast and furious, disable IIS temporarily and see if the login attempts stop as well.

Has the system been thoroughly swept for viruses using the most sensitive setting on an up-to-date antivirus, and has Malwarebytes been run on it also?

Seth Simmons

Failure Reason: The specified user account has expired.

a user account expired
maybe someone left the company and they have a phone or something still configured for a mailbox?
whatever the case, a user account keeps trying to login
what exchange role(s) are on this server?

disable IIS temporarily and see if the login attempts stop as well.

that would cause issues for other users connecting to exchange

Shaun Vermaak

Did you enable NTLM logging (not the normal success, failed logging options)? See here

Path: Computer Configuration\Windows Settings\Local Policies\Security Options
Setting: Network Security: Restrict NTLM: Audit Incoming NTLM Traffic
Value: Enable auditing for all accounts
Setting: Network security: Restrict NTLM: Audit NTLM authentication in this domain
Value:    Enable All

Open in new window

Then check Event Viewer, Applications and Services Log/Microsoft/Windows/NTLM
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html

Naveen Sharma

Check for stale hidden credential. Remove any items that appear in the list of Stored User Names and Passwords.
Check IIS log files.
Also check scheduled task and services.

Get in detailed here about Windows Security Log Event ID 4625: An account failed to log on

Get help from this earlier discussion: https://social.technet.microsoft.com/Forums/lync/en-US/cfd2d5ab-22ce-4567-b228-37e42dbf4b97/windows-failed-logon-attempts?forum=winserversecurity

You can audit the successful or failed logon and logoff attempts in the network using the audit policies:
https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/

Also get help from this article to track locked out accounts and find the source:
https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html

Computer Helper

ASKER

The account expired is the same name as the workstation. This is what has be stumped.

This question needs an answer!

Become an EE member today

7 DAY FREE TRIAL

Members can start a 7-Day Free trial then enjoy unlimited access to the platform.

View membership options

Learn why we charge membership fees

We get it - no one likes a content blocker. Take one extra minute and find out why we block content.