How to get public IP address of the device used to login Exchange 2013/2016 through OWA/active sync/ MS Outlook 2010/2013/2016 in case of failed attempt

Someone attempts to login through active sync, Outlook over web or Outlook 2013/2016 at MS Exchange 2016/2013/2010 & enter a few wrong passwords due to which his account gets lock out at active directory (Server 2012 R2/2016). (all servers are on premises).
To verify if some unauthorized user is trying the attempt; how to know the IP address or the workstation/device name or other possible details of the user?


Please guide.
LVL 2
Akash BansalIT ProfessionalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

engeltjeCommented:
First check the phone, when a user has to change the password, they do forget their phone ;)

Exchange logs login attempts, could you check the log files?
0
timgreen7077Exchange EngineerCommented:
if you know the user name they are attempting to use but fail, you can look at the IIS logs on each of the exchange servers and it can give you some of the info. you will have to search all of the IIS logs for that user name in the IIS Logs.
0
MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
Hi Akash,
Easiest solution will be install Exchange Reporterplus from manageengine.
https://www.manageengine.com/products/exchange-reports/

You can see the logs from IIS.
1. Go to Start -> Control Panel -> Administrative Tools
2. Run Internet Information Services (IIS).
3. Find your Web site under the tree on the left.
4. Click the virtual directory, such as OWA or ActiveSync. Then double click “Logging” on the result pane.
5. You can see the location of the log under “Directory”.
As default it is “%systemDriver%\Inetpub\logs\logfiles”.  i.e. C:\inetpub\logs\LogFiles

Filter the logs to only include access to the OWA URL.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Akash BansalIT ProfessionalAuthor Commented:
Thanks MAS for sharing the solution that I believe should work. Do you know any other reporting tool that is free for SMB or anything that may cost very less.
0
Akash BansalIT ProfessionalAuthor Commented:
https://www.jijitechnologies.com/ is very useful for other ACtive directory auditing but for exchange they are unable to meet my mentioned requirements.
0
Adam BrownSr Solutions ArchitectCommented:
Also note that if you have a load balancer, the IPs that get reported to the Exchange server *may* end up being the load balancer. If that's the case, you'll have to examine the logs on the load balancer to get the original IP address. Cross reference the lockout time and check the load balancer's logs at that time.
0
Akash BansalIT ProfessionalAuthor Commented:
I do not have any load balancer and having single instance of the exchange server with all the installed exchange roles.
0
Daryl GawnSystem AdministratorCommented:
check this location on the server C:\inetpub\logs\LogFiles\W3SVC1
0
Akash BansalIT ProfessionalAuthor Commented:
@MAS
https://www.manageengine.com/products/exchange-reports/download-free.html?lhs 
The product you suggested has a free version too for upto 25 mailboxes.
:)
0
MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
Thanks for sharing the update.
0
austin minorCommented:
You can try using Microsoft's Account lockout and management tools.

Administrative Tools --> Event Viewer. Go to Windows Logs -->Security and then on the right go to Filter Current Log...there you find what IP it was coming from.

https://community.spiceworks.com/topic/2148871-find-ip-address-of-mail-server-brute-force
0
Akash BansalIT ProfessionalAuthor Commented:
Thank you @austin
as per the link provided by you it says : "netsh trace on our Exchange server when the authentication attempts were happening."

So the solution may work when we run netsh command exactly when the brute force or the failed login is happening; thus this would not solve the purpose.
0
Akash BansalIT ProfessionalAuthor Commented:
Now I guess, we need to focus on IIS logs. nothing to do with AD or exchange logs.

On the taskbar, click Server Manager.
In Server Manager, click the Manage menu, and then click Add Roles and Features.
In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Health and Diagnostics, and then select Tracing. Click Next.
On the Select features page, click Next.
On the Confirm installation selections page, click Install.
On the Results page, click Close.


Open Internet Information Services (IIS) Manager.
In the Connections pane, select the server connection, site, application, or directory for which you want to configure failed request tracing.
In the Actions pane, click Failed Request Tracing.
In the Edit Web Site Failed Request Tracing Settings dialog box, select the Enable check box to enable tracing, leave the default value or type a new directory where you want to store failed request log files in the Directory box, type the number of failed request trace files you want to store in the Maximum number of trace files box, and then click OK.

Open Internet Information Services (IIS) Manager.
In the Connections pane, select the server connection, site, application, or directory for which you want to configure failed request tracing.
In the Home pane, double-click Failed Request Tracing Rules.
In the Actions pane, click Add.
On the Specify Content to Trace page of the Add Failed Request Tracing Rule Wizard, select the content type you want to trace, and then click Next.
On the Define Trace Conditions page, select the conditions you want to trace, and then click Next. Trace conditions can include any combination of status codes, a time limit that a request should take, or the event severity.
Status codes for Access Denied/Logon Failure: 401.1,401.2,401.3,401.4,401.5.
If you specify all conditions, the first condition that is met generates the failed request trace log file.Access more status codes here
On the Select Trace Providers page, select one or more of the trace providers under Providers or Select "All".
On the Select Trace Providers page, select one or more of the verbosity levels under Verbosity.
If you have selected the ASPNET or WWW Server trace provider in step 7, select one or more functional areas for the provider to trace under Areas of the Select Trace Providers page.
Click Finish.
0
Akash BansalIT ProfessionalAuthor Commented:
Thank you all for taking out your valuable time to support me.
It would really help me to reach the required solution.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.