none
AD account locked out on Exchange 2010 RRS feed

  • Question

  • I know this is not new but I kind of stuck here.

    The impacted user is using Outlook 2010 and has an iphone and ipad using activesync to connect to our Exchange 2010.

    The account has been locked out randomly but seems to be every hour and he is the only one having this problem. I checked the log, the caller is our Exchange server and the caller process is EdgeTransport.exe.

    What I have done are:

    1. Deleted exchange account and re-created on both iphone and ipad. I focused on the ActiveSync/mobile devices because I saw similar time stamps in IIS logs when account was locked out. 
    2. Made sure no other mail apps are used on iphone/ipad
    3. Re-created a new Outlook profile on user.s PC.
    4. Made sure no other mail app been used on PC.
    5. Checked credential manager on his Windows 10 by using PsExec and removed all.
    6. No particular task schedule running on user's PC.
    7. Cleared browser caches on both mobile and PC.
    8. Restarted both mobile devices.

    Please advise what i may have still overlooked.

    Thanks

    Calvin

    Saturday, October 20, 2018 1:27 AM

All replies

  • Hi Calvin,

    Thanks for posting in our forum.

    Afer doing these, is this account still locked out every hour? 

    Is there any different settings between this account and other accounts?

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 22, 2018 6:33 AM
    Moderator
  • Kallen and KHart85,

    Thanks for the suggestions. What I already knew is the user's account was locked out on the our Exchange 2010 server which is the caller machines in logs. Two events were logged to cause the locked out. The first one is unknown username for account, jdoe trying to log in and the 2nd one is unknown password for jdoe@domain.com trying to log in. There is no source IP.

    I believe it's activesync related but after I deleted and re-created the Exchange accounts on his mobile devices and even re-created the Outlook profile, the account still got locked out.

    I have also run powershell, get-activesyncdevicestatistics to confirm the legit devices.

    Thanks
    Calvin


    Monday, October 22, 2018 12:58 PM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 26, 2018 9:25 AM
    Moderator
  • The issue has not been resolved. What I already knew are: account was locked out on our Exchange 2010, process is Advanpi, Logon Type is 8. All these told me its activesync/mobile devices related. I have identified 2 devices, iphone and ipad listed as the connected devices by using get-ActiveSyncDeviceStatistics command. I then recreated the Exchange account on user' iphone and ipad. Outlook on PC is the only app contacting the Exchange. I have also checked the IIS logs on Exchange, the repeated warnings are below but I don't think it's the cause. So i'm still stuck.

    Sync/default.eas User=<user>@<Our_domain>.com&DeviceId=31RJ4G658D6V3C7K28K1QS60SG&DeviceType=iPad&Cmd=Ping&Log=V141_LdapC2_LdapL15_Hb893_UserInfo:UserMailbox_S3_Error:PingCollisionDetected_Mbx:MJLM-<exchange>_Dc:<our_domain_controller>_Throttle15_Budget:(A)Conn%3a1%2cHangingConn%3a0%2cAD%3a%24null%2f%24null%2f0%25%2cCAS%3a%24null%2f%24null%2f0%25%2cAB%3a%24null%2f%24null%2f0%25%2cRPC%3a%24null%2f%24null%2f0%25%2cFC%3a1000%2f0%2cPolicy%3aDefaultThrottlingPolicy%5F1d5e7738-2758-403c-9b7e-0e0574454e7c%2cNorm_ 443 <user_email_address> 174.235.0.164 Apple-iPad7C2/1505.302 200 0 0 550522

    Monday, October 29, 2018 4:06 PM
  • More information to this case. It may have something to do with SAMaccount vs UPN. For this user, his SAMaccount is John and UPN is jdoe@ourdomain.com which matches his email address.

    The event logs (event ID 4625) on my Exchange server usually shows two failed logins and then lockout.

    Two failed logins show account name as jdoe (sub status: 0xc0000064 - user does not exist) and jdoe@ourdomain.com (sub status: 0xc000006A - user name is correct but the password is wrong). 

    All his mobile devices are configured to use SAMaccount as domain\john. Not sure where were jdoe and jdoe@ourdomain.com trying to authenticate from?

    The activities are so random. It could be no activities for one or two days, then locked out every hour on a random day.

    Thanks

    Calvin

    Thursday, November 1, 2018 3:54 PM
  • Hi,

    I am sorry that this issue still hasn't been resolved.

    If this issue is urgent, we would suggest you contact Microsoft Customer Support and Services where more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue. In addition, if the issue has been proved as system flaw, the consulting fee would be refund. You may find phone number for your region accordingly from the link below:

    Global Customer Service phone numbers

    https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

    Thanks for your understanding.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 7, 2018 9:24 AM
    Moderator
  • Upon further review of logs on our Exchange server, I found many events of 1035 in Application log with the category, SmtpReceive. The source IP addresses of the clients who tried to authenticate to Microsoft Exchange are from the countries that we have no business with. I blocked the IP from those countries on firewall and the issue seemed to be gone. 

    Thank you all!!

    Calvin

    Wednesday, November 7, 2018 2:33 PM
  • Hi,

    I am glad to hear that your issue was successfully resolved.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 8, 2018 9:57 AM
    Moderator