Server 2012 Failed Logon Event 4625 w3wp.exe NULL SID Exchange Issue

Mike Orlando 36 Reputation points
2020-10-20T22:32:38.897+00:00

I recently changed passwords after having a cyber attack on another server on my network. All of our firewall changes have been WAN-LAN related. On my Windows 2012R2, I was looking at my security event logs and am noticing a lot of login failure event 4625 that involve w3wp.exe (IIS). The account listed is Sever_Name$ and the login attempt appears to be coming from the server itself with a NULL SID.

33891-capture1.png

I have attempted to cross reference my security logs with my IIS logs and around the time of the logon errors I am seeing a reference to lan\admin_name. This appears to have something to do with Exchange. I cannot find anything in IIS or Exchange ECP that would indicate a cashed password and have changed my password before without noticing this. The log times don't align to the exact MS. I am also seeing a lot of the DDI service and reference to LAN\SM_4594c5f82b8843e29.

2020-10-20 19:59:00 127.0.0.1 GET /mapi/ &CorrelationID=<empty>;&cafeReqId=830195a7-151c-4543-8ac3-a9b3fe109f1c; 443 LAN\SM_4594c5f82b8843e29 127.0.0.1 AMProbe/Local/ClientAccess - 200 0 0 4

2020-10-20 19:59:00 172.0.0.2 POST /ecp/DDI/DDIService.svc/GetList workflow=GetCount&ua=0&schema=Notification&msExchEcpCanary=OuqW0RaJ7EOSvpUzQFrKaao0YQouddgIokp9i5nW-wKR7T-goa7UMYcmP2I_8sJccD97mXim1x8.&CorrelationID=<empty>;&cafeReqId=928a30fe-581a-4bf0-928d-65204285aa72; 443 lan\administrator_name 172.0.0.2 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.75+Safari/537.36 https://exchange.companydomain.com/**ecp**/ 200 0 0 120

2020-10-20 19:59:31 172.0.0.2 POST /ecp/DDI/DDIService.svc/GetList workflow=GetCount&ua=0&schema=Notification&msExchEcpCanary=OuqW0RaJ7EOSvpUzQFrKaao0YQouddgIokp9i5nW-wKR7T-goa7UMYcmP2I_8sJccD97mXim1x8.&CorrelationID=<empty>;&cafeReqId=5eab446e-b1af-4540-bb30-7b6cd9a5039f; 443 lan\administrator_name 172.0.0.2 Mozilla/5.0+(Windows+NT+6.3;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.75+Safari/537.36 https://exchange.companydomain.com/**ecp**/ 200 0 0 124

Any help or direction with be great! I have seen similar posts, but having trouble pinning this down.

Thanks,

Mike

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,606 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,707 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Lucas Liu-MSFT 6,176 Reputation points
    2020-10-21T09:25:49.247+00:00

    Hi @Mike Orlando ,
    Are there any problems during your normal use of Exchange?

    1. According to my research, the event id 4625 is generated when the account login fails. There are many possibilities to cause this event. Considering that you recently changed your password, would you like to clear the previous cache and log in with the new password?
    2. According to the information you provided, I noticed that the part related to Exchange is connecting to ECP, please try to log in to EAC and see if you could log in successfully.
    3. In addition, I have conducted research on similar cases. According to the suggestions provided by forum experts and Microsoft, if there is no problem with Exchange, for Exchange you could temporarily ignore the event log.
      For more information: Eventid 4625 and IIS account failed to log on - Event 4625

    ----------

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.