none
Logon failure - Account Currently Disabled Event 4625 | W3WP.EXE | SYSTEM RRS feed

  • Question

  • I've been receiving failed login attempts, no IP no username or any useful information
    The server has Exchange 2013  and IIS installed. Mailbox Server (MBX) Information Store component is installed on this server.
    The Exchange server is working well.

    After thorough investigation , it is found that an application pool is causing this .We found this by executing the command "appcmd list wps" and matching the output with the process ID in the event log.It is found that app pool "MSExchangeServicesAppPool" is the culprit causing this failed login events.

    Kindly let us know what could be the issue in the configuration that is causing this issue.

    Below is the event


    An account failed to log on.

    Subject:

          Security ID:            SYSTEM

          Account Name:           SERVER-EXCHANGE$

          Account Domain:         DOMAIN

          Logon ID:         0x3E7

    Logon Type:             3

    Account For Which Logon Failed:

          Security ID:            NULL SID

          Account Name:          

          Account Domain:        

    Failure Information:

          Failure Reason:         Account currently disabled.

          Status:                 0xC000006E

          Sub Status:       0xC0000072

    Process Information:

          Caller Process ID:      0x38cc

          Caller Process Name:    C:\Windows\System32\inetsrv\w3wp.exe

    Network Information:

          Workstation Name: SERVER-EXCHANGE

          Source Network Address: -

          Source Port:            -

    Detailed Authentication Information:

          Logon Process:          Authz  

          Authentication Package: Kerberos

          Transited Services:     -
    Friday, January 1, 2016 5:03 AM

All replies

  • Hi,

    These status and sub status codes seem to suggest that the AD account is disabled or is trying to log on outside its defined logon hours. Please can you check that the SERVER-EXCHANGE computer account in AD has no logon hours set and is not disabled. 

    Please check for any other errors in the Exchange server system, application and security event logs. 

    Thanks.


    Please mark as an answer if this answers your question

    Mark Gossa

    MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010, MCTS SQL 2012, MCTS SharePoint 2007, VCP4, VCP5, CCNA

    Blog: http://markgossa.blogspot.com   LinkedIn:

    Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

    Saturday, January 2, 2016 11:35 PM
  • Hi,

     This must not be a remote logon failure. It was generated on the computer where the access was attempted. I haven’t tried this, but hope below threads will help you to solve the issue.

    Event ID 4625 Null SID

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/3e72765e-9fdd-425f-a7b4-1a78a651edc2/event-id-4625-null-sid

    Event ID 4625 Null SID Guest account currently disabled

    https://social.technet.microsoft.com/Forums/en-US/a2ae4591-f6e9-4177-8985-f47cdced3dca/event-id-4625-null-sid-guest-account-currently-disabled?forum=winserverNAP

    But fond this article which was having more positive comments.

    http://forums.iis.net/t/1183418.aspx?IIS+account+failed+to+log+on+Event+4625

    Try this and let us know the outcome, 


    Hemal

    Sunday, January 3, 2016 6:35 AM
  • Thanks for the information .

    I found a link related to it and i want to know if implmenting this would solve the issue and we only have live environment and can't test it there

    Can anyone confirm that this would not effect the working of Exchange and IIS

    http://artykul8.com/2010/01/windows-server-iis-sharepoint-and-null-sid-audit-failures/

    Monday, January 4, 2016 5:06 AM
  • Hi SA,

    I can not promise that the method you found would not effect the exchange and IIS services.

    However, the failure reason has told us that there maybe any account had been disabled, as Gossa mentioned, you should check the account firstly.

    Best regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Niko Cheng
    TechNet Community Support

    Monday, January 4, 2016 9:26 AM
    Moderator
  • I understood the same that a user is disabled but the user is "SYSTEM" which is not visible in Users & Groups section at Windows .This is windows hidden user and I am unable to locate it in the server in order to enable it.

    Kindly help us in this.

    Monday, January 4, 2016 10:01 AM
  • Please enable auditing by following below mentioned article and check if it helps you to find out the root-cause of this weird issue : http://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/

    Organizations who want increase their visibility as to what's happening in their IT environments but are perhaps limited on time, resources or budget. Lepide 2020 audit & change control suite provides instant access to see who, what, where and when changes are being made to Active Directory, Group Policy, SQL Servers, SharePoint, File Servers, Exchange Servers and more.

    Monday, January 4, 2016 10:25 AM
  • the required auditing is enabled on the server and we got the information that Account is disabled.We also found after thorough investigation  that an application pool is causing this .

    We found this by executing the command "appcmd list wps" and matching the output with the process ID in the event log.It is found that app pool "MSExchangeServicesAppPool" is the culprit causing this failed login events.

    Below is the details we got from the event that Account for which logon fail has security ID: NULL SID with empty Account Name.Complete log is at the begining of this case.

    Account For Which Logon Failed:

          Security ID:            NULL SID

          Account Name:          

          Account Domain: 

    What is wrong with app pool "MSExchangeServicesAppPool" that these login failures are occurring. Kindly help us in this.

    Monday, January 4, 2016 10:48 AM
  • Can anyone help us in this?
    Tuesday, January 12, 2016 10:13 AM
  • I'm on exchange 2010 and we're having the same issue. 

    Best practices analyzer says that the "identity" of the app pool should be "local system", but that's what is causing these errors. I tried changing to network services and doing an IISRESET, then changing back to "local system" (in the hopes that it would cause the account to re-register and maybe start working again), but i'm getting the same error again. 


    Tuesday, February 2, 2016 4:02 PM
  • Did you find a solution?
    Thursday, March 9, 2017 7:45 PM
  • We have the same issue. Any updates on this? Was anyone able to solve it?
    Monday, December 17, 2018 2:33 PM
  • Were you ever able to resolve this?  We are running Exchange 2013 CU21. We get the same exact issue.

    C:\Windows\System32\inetsrv>appcmd list wps
    WP "7708" (applicationPool:MSExchangeAutodiscoverAppPool)
    WP "7144" (applicationPool:MSExchangePowerShellFrontEndAppPool)
    WP "4596" (applicationPool:MSExchangeRpcProxyFrontEndAppPool)
    WP "7240" (applicationPool:MSExchangeSyncAppPool)
    WP "14948" (applicationPool:MSExchangePowerShellAppPool)
    WP "15692" (applicationPool:MSExchangeMapiFrontEndAppPool)
    WP "15176" (applicationPool:MSExchangeECPAppPool)
    WP "18260" (applicationPool:MSExchangeOWACalendarAppPool)
    WP "17168" (applicationPool:MSExchangeOABAppPool)
    WP "19304" (applicationPool:MSExchangeMapiMailboxAppPool)
    WP "13808" (applicationPool:MSExchangeRpcProxyAppPool)
    WP "14240" (applicationPool:MSExchangeOWAAppPool)
    WP "7556" (applicationPool:MSExchangeServicesAppPool)

    An account failed to log on.


    Subject:
    Security ID: SYSTEM
    Account Name: EXCH01$
    Account Domain: Our_Domain
    Logon ID: 0x3E7


    Logon Type: 3


    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name:
    Account Domain:


    Failure Information:
    Failure Reason: Account currently disabled.
    Status: 0xC000006E
    Sub Status: 0xC0000072


    Process Information:
    Caller Process ID: 0x1d84
    Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe


    Network Information:
    Workstation Name: EXCH01
    Source Network Address: -
    Source Port: -

    As you can see Caller Process ID: 0x1d84 resolves to process ID 7556 which is MSExchangeServicesAppPool. 


    • Edited by MichaelAdyne Wednesday, March 6, 2019 7:59 PM update
    Wednesday, March 6, 2019 3:15 PM
  • We have the same issue on Exchange 2016.

    Any update on this Microsoft ?

    Tuesday, July 9, 2019 11:17 PM