How to find the real source IP of a Event 4776 generated from a public Exchange Mapi URL https://mail.xxxx.yy/mapi/

YaKs77 6

Hi,
I am struggling trying to find the real source of a bunch of authentication attempts (brute force) that I just discovered in our environment.

I did my own test connecting to our public URL https://mail.xxxxxx.yyy/mapi/ using my 4G phone , using wrong credentials.
the event 4776 logged in our DC server is the following

LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=4776
EventType=0
Type=Information
ComputerName=Dc.xxxx.yyy
TaskCategory=Credential Validation
OpCode=Info
RecordNumber=1450342160
Keywords=Audit Failure
Message=The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: test4g
Source Workstation: localhost
Error Code: 0xC0000064

I tried to find traces in our Exchange IIS logs and I dont find any entry, I checked and the logging is enabled, format W3C. we have onprem exchange 2016.

maybe I need to enable some settings for deeper logging?

Thanks a lot.

Kael Yao-MSFT 37,496 Reputation points Microsoft Vendor

2022-04-01T03:12:22.387+00:00

Hi @YaKs77

Did you check the IIS log under this path C:\inetpub\logs\LogFiles\W3SVC1 on Exchange server?
If you search for the timestamp of event 4776 in IIS log (by default IIS log would use UTC time), would you see requests sent to /mapi and a return code 401?
YaKs77 6 Reputation points

2022-04-01T13:34:51.85+00:00

Hi @kaelyao,
you were absolutely right, I didnt realize about the UTC time so I could not correlate by time.

In any case, I dont see the user account name in the log which I think it is very needed in case we have several 401 on the same second. I would like to correlate both event logs based on the account name and the timestamp.

Is there any way to force the logging of the user account used? for some reason the account name does not appear in the 99.99% of log lines with 401 code, is this normal?
Over almost 30K events with 401 code, only 4 contained the user account :O

Many thanks once again.
Kael Yao-MSFT 37,496 Reputation points Microsoft Vendor

2022-04-04T06:35:52.283+00:00

Hi,
In my lab the user account is also not logged in IIS logs.

While I suppose you may see it in the event 4776 Logon Account field.
In this case, is the account which you are using for test test4g?
YaKs77 6 Reputation points

2022-04-05T08:16:14.96+00:00

Hi,
yes, the account is shown in the 4776 event in the DC server but that is not enough.
For a robust correlation between IIS and DC logs, the same time and account name are necessary. Otherwise in a high traffic environment , they might be dozens of connections in the IIS logs in the same exact second that might match with the time of a 4776 event.

is there no way to force the logging of the account name in all IIS log entries?

cheers
Kael Yao-MSFT 37,496 Reputation points Microsoft Vendor

2022-04-05T08:42:03.163+00:00

Hi,
Sorry I am not sure if it is possible.
I would recommend posting in the IIS forum and see if you can get some suggestions there.
You may add the iis related tags to your question, for example windows-server-iis.
YaKs77 6 Reputation points

2022-04-07T15:09:33.223+00:00

I just did that, new IIS tags added. I hope some colleague of your will pick it up ;)
Kael Yao-MSFT 37,496 Reputation points Microsoft Vendor

2022-04-08T01:28:36.12+00:00

Hi,
I noticed you added the tags to this question.

Sorry I didn't make it clear in my former reply.
I would recommend creating a new post and adding the IIS tags so the community members can focus better on this question (if logging account name is possible in IIS logs),
since this original question is finding the ip addresses of Event 4776.

Thanks for your understanding and hope you will get the answer soon.