1,452 questions
The default front end receive connector does not require authentication by default.
Are you sure its related to the lockouts?
Unable to find the source of Account Lockout which originates from Exchange Server
Tanisorn Sowudomsilp
251
Reputation points
To All,
Please help or suggestion me to resolve this issue!!
I have an user account which locks out almost everyday in AD & Security logs from Domain Controller indicates the caller computer name is the exchange server. When I look into the exchange server Security Logs I can see there are multiple failed logins but it gives me no specific info about from where is this originating from.
I've checked the IIS logs as well but can't find anything related to this particular user account.
Please see the Exchange Server Log:
Event ID (4625) as picture below,
Thank you in advance,
Tanisorn
Exchange | Exchange Server | Other
Exchange | Exchange Server | Management
7,925 questions
Windows for business | Windows Server | User experience | Other
20,218 questions
Windows for business | Windows Server | Devices and deployment | Configure application groups
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 80%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff2023-02-16T09:52:46.2833333+00:00 Hi,
Just checking in to see how things are going on with this thread.
If the reply was helpful, you can click the "Accept Answer" button under this post so that other's with similar question can benefit from this thread as well.
If you still have further questions or concerns, feel free to post back.
Sign in to comment
Accepted answer
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator2023-02-18T13:48:36.5866667+00:00 -
Aholic Liang-MSFT 13,886 Reputation points Microsoft External Staff
2023-02-22T10:05:55.7733333+00:00 Just checking in to see how things are going on with this thread.
If the reply was helpful, you can click the "Accept Answer" button under this post so that other's with similar question can benefit from this thread as well.
If you still have further questions or concerns, feel free to post back.
-
Tanisorn Sowudomsilp 251 Reputation points
2023-02-22T10:12:16.02+00:00 Thank you very much for your help, Andy David, and Aholic Liang.
Sign in to comment -
2 additional answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Limitless Technology 44,766 Reputation points2023-02-14T15:58:03.6033333+00:00 Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query
If you are experiencing account lockouts that originate from the Exchange Server, there are several possible causes. These can include incorrect credentials being used to access the server, a malware infection on the server, or a user account being left logged in on the server. To troubleshoot this issue, you can start by running a malware scan on the server to check for any malicious software. If the scan comes up clean, you can then check the user accounts to see if any are left logged in. Additionally, you can set up an audit policy to track logon events to help identify any suspicious activity. Finally, you can configure a lockout policy to prevent users from being locked out due to incorrect credentials.
If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.
-
Tanisorn Sowudomsilp 251 Reputation points
2023-02-14T17:36:37.02+00:00 Thank you for your suggestion,
Sign in to comment -
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
2023-02-14T16:11:27.2533333+00:00 The source is the transport service, meaning SMTP auth is failing.
enable SMTP protocol logging on the front end client receive connector (s) and match up the log entries with the lockouts in the event logs by date and time and hopefully you can find the IP
-
Tanisorn Sowudomsilp 251 Reputation points
2023-02-14T17:35:17.92+00:00 Hi Andy David,
How can I find SMTP authentication log?
Thank you for your suggestion.
-
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator
2023-02-14T17:54:00.1966667+00:00 Once you enable logging, you can find here:
-
Tanisorn Sowudomsilp 251 Reputation points
2023-02-18T10:48:44.5633333+00:00 Hi Andy David,
I found the Inbound authentication failed from Default Frontend receive connector by random public IP. please see the picture below.
Do you have any suggestion to solve this problem?
Thank you very much,
Tanisorn.
-
Tanisorn Sowudomsilp 251 Reputation points
2023-02-18T11:14:13.6+00:00 Hi Andy David,
I found the inbound authentication failed for the Default Frontend receive connector from random public IP, please see the picture below.
Do you have any solution to prevent this issue?
Thank you in advance,
Tanisorn
Sign in to comment -