How to get public IP address of the device used to login Exchange 2013/2016 through OWA/active sync/ MS Outlook 2010/2013/2016 in case of failed attempt

Akash Bansal
Akash Bansal used Ask the Experts™
on
Someone attempts to login through active sync, Outlook over web or Outlook 2013/2016 at MS Exchange 2016/2013/2010 & enter a few wrong passwords due to which his account gets lock out at active directory (Server 2012 R2/2016). (all servers are on premises).
To verify if some unauthorized user is trying the attempt; how to know the IP address or the workstation/device name or other possible details of the user?


Please guide.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
First check the phone, when a user has to change the password, they do forget their phone ;)

Exchange logs login attempts, could you check the log files?
timgreen7077Exchange Engineer
Distinguished Expert 2018

Commented:
if you know the user name they are attempting to use but fail, you can look at the IIS logs on each of the exchange servers and it can give you some of the info. you will have to search all of the IIS logs for that user name in the IIS Logs.
EE Solution Guide - Technical Dept Head
Most Valuable Expert 2017
Commented:
Hi Akash,
Easiest solution will be install Exchange Reporterplus from manageengine.
https://www.manageengine.com/products/exchange-reports/

You can see the logs from IIS.
1. Go to Start -> Control Panel -> Administrative Tools
2. Run Internet Information Services (IIS).
3. Find your Web site under the tree on the left.
4. Click the virtual directory, such as OWA or ActiveSync. Then double click “Logging” on the result pane.
5. You can see the location of the log under “Directory”.
As default it is “%systemDriver%\Inetpub\logs\logfiles”.  i.e. C:\inetpub\logs\LogFiles

Filter the logs to only include access to the OWA URL.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Akash BansalIT Professional

Author

Commented:
Thanks MAS for sharing the solution that I believe should work. Do you know any other reporting tool that is free for SMB or anything that may cost very less.
Akash BansalIT Professional

Author

Commented:
https://www.jijitechnologies.com/ is very useful for other ACtive directory auditing but for exchange they are unable to meet my mentioned requirements.
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Also note that if you have a load balancer, the IPs that get reported to the Exchange server *may* end up being the load balancer. If that's the case, you'll have to examine the logs on the load balancer to get the original IP address. Cross reference the lockout time and check the load balancer's logs at that time.
Akash BansalIT Professional

Author

Commented:
I do not have any load balancer and having single instance of the exchange server with all the installed exchange roles.
Daryl GawnSystem Administrator

Commented:
check this location on the server C:\inetpub\logs\LogFiles\W3SVC1
Akash BansalIT Professional

Author

Commented:
@MAS
https://www.manageengine.com/products/exchange-reports/download-free.html?lhs 
The product you suggested has a free version too for upto 25 mailboxes.
:)
MASEE Solution Guide - Technical Dept Head
Most Valuable Expert 2017

Commented:
Thanks for sharing the update.
You can try using Microsoft's Account lockout and management tools.

Administrative Tools --> Event Viewer. Go to Windows Logs -->Security and then on the right go to Filter Current Log...there you find what IP it was coming from.

https://community.spiceworks.com/topic/2148871-find-ip-address-of-mail-server-brute-force
Akash BansalIT Professional

Author

Commented:
Thank you @austin
as per the link provided by you it says : "netsh trace on our Exchange server when the authentication attempts were happening."

So the solution may work when we run netsh command exactly when the brute force or the failed login is happening; thus this would not solve the purpose.
Akash BansalIT Professional

Author

Commented:
Now I guess, we need to focus on IIS logs. nothing to do with AD or exchange logs.

On the taskbar, click Server Manager.
In Server Manager, click the Manage menu, and then click Add Roles and Features.
In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Health and Diagnostics, and then select Tracing. Click Next.
On the Select features page, click Next.
On the Confirm installation selections page, click Install.
On the Results page, click Close.


Open Internet Information Services (IIS) Manager.
In the Connections pane, select the server connection, site, application, or directory for which you want to configure failed request tracing.
In the Actions pane, click Failed Request Tracing.
In the Edit Web Site Failed Request Tracing Settings dialog box, select the Enable check box to enable tracing, leave the default value or type a new directory where you want to store failed request log files in the Directory box, type the number of failed request trace files you want to store in the Maximum number of trace files box, and then click OK.

Open Internet Information Services (IIS) Manager.
In the Connections pane, select the server connection, site, application, or directory for which you want to configure failed request tracing.
In the Home pane, double-click Failed Request Tracing Rules.
In the Actions pane, click Add.
On the Specify Content to Trace page of the Add Failed Request Tracing Rule Wizard, select the content type you want to trace, and then click Next.
On the Define Trace Conditions page, select the conditions you want to trace, and then click Next. Trace conditions can include any combination of status codes, a time limit that a request should take, or the event severity.
Status codes for Access Denied/Logon Failure: 401.1,401.2,401.3,401.4,401.5.
If you specify all conditions, the first condition that is met generates the failed request trace log file.Access more status codes here
On the Select Trace Providers page, select one or more of the trace providers under Providers or Select "All".
On the Select Trace Providers page, select one or more of the verbosity levels under Verbosity.
If you have selected the ASPNET or WWW Server trace provider in step 7, select one or more functional areas for the provider to trace under Areas of the Select Trace Providers page.
Click Finish.
Akash BansalIT Professional

Author

Commented:
Thank you all for taking out your valuable time to support me.
It would really help me to reach the required solution.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial