4

I have an AD user account that is being repeatedly and frequently locked out, I have been able to trace the lockout to the Exchange server CAS array. However I am at a loss as to how to continue the investigation. The event logs on the Exchange (2013) servers indicate the lockout was sourced from msExchangeFrontEndTransport.exe but does not indicate from what source the original auth request came from. I really would like to know any of the following (the more the better): source of auth IP/computer name, source of auth method (ie webmail, activesync, Outlook client, etc).

The event log from what I've been able to dig through does not indicate anything that would help track the origination point of the bad auth request. I'm 90% sure that I've ruled out any of the user's portable devices, as at one point we powered off all the user's devices and the lockout still occurred, this has been happening for weeks now with over 600 auth attempts per day. I've renamed the user account as a workaround, but I really want to determine where this is coming from for security purposes. This is the only account to be suffering in this way. Any ideas would be greatly appreciated!

NorthVandea
  • 41
  • 1
  • 1
  • 2
  • 1
    That exe is an SMTP "proxy", so perhaps a mis-configured home computer that's pinging with the wrong password? – Nathan C Jun 02 '14 at 18:13
  • 2
    With that many attempts per day it's bound to be a mobile device or remote app. Turn up the logging level on the servers and then check the log details again. – TheCleaner Jun 02 '14 at 18:21
  • It's remotely possible that someone is trying to get into your SMTP to use it as a relay too... though that's unlikely – Chris S Jun 02 '14 at 18:23

1 Answers1

1

Look at the IIS logs on the CAS server, which will point you in the right direction. A common problem is a user with multiple devices that try to connect with an out of date password and lock out the account. However, it could be abuse.

2012-01-10 14:42:26 172.32.22.12 POST /Microsoft-Server-ActiveSync/default.eas User=ratishnair&DeviceId=Appl8xxxxx4S&DeviceType=iPhone&Cmd=FolderSync&Log=PrxFrom:10.123.33.88_Error:BackingOffMailboxServer_ 443 CONTOSO\CAS01$ 10.123.33.88Apple-iPhone3C1/901.405 503 0 0 765

Log entry quoted from http://msexchangeguru.com/2012/02/01/exchange-activesync/

This shows the client IP, user name and device.

John Auld
  • 594
  • 2
  • 6
  • Thanks for the suggestion John, this looked promising but I am not able to locate any activity from the problem account in the IIS logs on either Exchange Transport server. – NorthVandea Jun 23 '14 at 19:41
  • Not on the Transport Server, on the Client Access Servers (CAS) – Chris S Oct 03 '14 at 17:30