Imap4 exe Continuously Causing Account Lockout 4625 Exchange 2013
Yes possibly time related if the workstations are out of sync with the servers- what do the Event logs say ?
thumb_up thumb_down
this is what is in the event log on the mail server :
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: user123
Source Workstation: MAIL
Error Code: 0xc0000064
there are plenty of them but all the times are correct
i also get lockouts for non user accounts
thumb_up thumb_down
Whats the Event code for that ?
Is that a bonefide account trying to login ?
thumb_up thumb_down
Event ID 4776
i changed name for security purpose
thumb_up thumb_down
Is the source workstation the same ?
If so is it used for RDP, OWA and or Activesync ?
thumb_up thumb_down
main exchange server
thumb_up thumb_down
all the accounts exist that s the weird part
thumb_up thumb_down
Are they missing the domain part ?
thumb_up thumb_down
in the error log it doesn't show the domain part
thumb_up thumb_down
Checked the domain part that's true not present.
If passwords were changed recently then mobile phone users may still be using the old password.
Look in the Activesync IIS log normally C:\inetpub\logs\LogFiles\W3SVC1
thumb_up thumb_down
some of the accounts and just room boxes no phones
thumb_up thumb_down
You can check the following areas:
Control Panel\Credential Manager.
Any mapped drives that have use the "with credentials" option (just disconnect them all and reconnect them).
Check any services that you may have set up under your login that may contain a password.
Did you checked out IIS logs on your Exchange server?
You can use Microsoft Lockout status tool for getting the information when the User account got locked (Date and time).
Apart from this you will also get information like on which DC the account got locked , How many bad passwords, AD site, Etc.
Here is another informative article to track the source and cause of account lockout:
https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html
thumb_up thumb_down
been digging into this all weekend this is what i have gotten to so far
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: MAIL$
Account Domain: MYDOMAIN.COM
Logon ID: 0x3e7
Logon Type: 8
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: jdoe@mydomain.com
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x4cdc
Caller Process Name: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe
Network Information:
Workstation Name: MAIL
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
thumb_up thumb_down
So it looks like they are trying the imap account with wrong password
thumb_up thumb_down
no imap service is off
thumb_up thumb_down
Check in the system processes or rename C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe to .old
thumb_up thumb_down
Are they all legitimate accounts trying to login or are their ones like Admin , guest etc ?
thumb_up thumb_down
all legit using netwrix lockout to unlock all at the same time
thumb_up thumb_down
changed the exe to old still an issue
thumb_up thumb_down
Any additional services that email people or Terminal Services?
thumb_up thumb_down
Logon Type: 8 is clear text password so any API or web services running
thumb_up thumb_down
ok killed the process it was running a few times got them all now just to wait for lockouts happens at the top of the hour
thumb_up thumb_down
Nick3663, thanks for using Netwrix Account Lockout Examiner tool! Try to investigate IIS logs on your Exchange server, probably you will find out lots of bad logon attempts from external IP address.
thumb_up thumb_down
Seems to be an ongoing issue in Exchange 2013 i will have to get with Microsoft's Exchange team and see if there is a fix see this article
https://social.technet.microsoft.com/Forums/en-US/53e09580-8a77-4467-8042-6aa628fa5504/audit-failure...
Unless some has had this issue and resolved it.
thumb_up thumb_down
Source: https://community.spiceworks.com/topic/2123229-exchange-2013-locking-out-all-users-constantly
0 Response to "Imap4 exe Continuously Causing Account Lockout 4625 Exchange 2013"
Enviar um comentário