none
Recurring Error: Event 14498, OCS Protocol Stack RRS feed

  • Question

  • We are getting this recurring error on our Front End servers:

    A significant number of authentication or authorization failures have occurred on messages for the account user@company.com and the first attempt was from the IP address nnn.nnn.nnn.nnn. 30 failures have been identified in the last 10 minutes. There have been 30 errors in total. Note: the user uri might have been truncated to 64 characters.

    Resolution:

    It is recommended that this IP address be examined to determine if it should be blocked at the firewall to prevent password guessing attacks. This account may also be worth blocking with a script on the Access Edge Server to prevent continued attacks against it.

    The IP address it refers to in the message is the floating IP of our internal load balancer.  Does anyone have experience with this error and what we can do to mitigate it?  I know the message makes some security suggestions but our Edge services are fairly limited.  We have PIC but Remote Access and all conferencing services are currently off and Federation is very limited.  We recently exposed CWA as well but this error was showing up before that.

    Thanks.

    Monday, August 23, 2010 3:20 PM

All replies

  •  

    This is a certificate problem possibly in the chain. verify all certificates and that everything is in the trusted root ca (local computer) and intermediate ca (local computer)

    start there... also have you validated the system ? has it come back with any errors....

     

    thanks


    John
    Monday, August 30, 2010 2:35 PM
  • HI

    Check on the users machine whom you are getting this error:

    first check whether user is able to login sucuesfully every time. Login and logoff severl times.

    Then if user is able to login sometime and some time not. then do this setting:

    go the Regedit

    Hkey_Local_machine\System\CurrentControlSet\Control\LSA\MSV1_0

    there are two dword values

    ntlmminclientsec , ntlmminclientsec by defult the value remains 0 change the values to 20008000 and reboot the machine.

    This is a NTLM authentication problem.

    ALso please send us the operating system version and OCS version.

    Hope this will help you.

    THanks & Regards

    Zahoor Hakeem | P C SOlution india | Project Consultant | MCSA, CCNA, CCNP

    Wednesday, September 15, 2010 7:38 AM