This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 78%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
We are in a Hybrid 365 environment and I have a bunch of users who have started getting locked out recently. The process that seems to be doing this is Microsoft.Exchange.Imap4.exe.
I am guessing it is something like the users passwords have changed since the migration and they had an old device or the native windows mail app connected and it's still trying the old password but without more information to point them at I'm a bit stuck trying to convince them to actually look for said devices.
Does anyone have any suggestions on how to get more information? I am trying to find the specific device trying to hit the IMAP port (993) if possible. Is there more logging I need to enable? Trying to wireshark it or something will be a nightmare with as many connections as we get but it might be a "last resort" if there is no other way.
The mail server event is
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A
The Controller event logs should show you the IP. If they don't , enable netlogon diags to track it down
https://activedirectorypro.com/find-the-source-of-account-lockouts/
Then check the logs at:
%windir%\debug\netlogon.log
You may need to follow the breadcrumbs if you enable netlogon debugging. I.e. the log on one DC may show the lockout event actually came from another DC, so you will probably need to enable to all the DCs to track it down effectively. Its not a big deal though. From what I have seen , the impact is minimal.
Thanks for all the help. This did help me track it further and get more insight into what was going on. Luckily we really don't need IMAP except for 1 or 2 services so rather than keep beating my head on this I've implemented firewall rules to just drop everything except the ones we know we need. User's using 3rd party apps will be told to use authorized work apps. I'm not sure which to mark as an answer since none was truly the end fix but they did give good info.
Well, I'll leave that up to you :)
You can mark any one as accepted, or mark one as accepted and upvote the others ( including your own!)
Ok this new forum is so different from the old technet. I kind of messed up my responses it appears so not really able to select what I want as answers. Thanks again for your help.
Yea, you can only mark one as accepted now. Not really optimal if you ask me.
Yea, if you can't track these down with the existing logs, it gonna be tough.
But here is the thing, if you can't track down the client IP of the IMAP client that is locking out the user, you at least know which users are being locked out right?
In that case, focus on one of them, and have that person track it down. I assume its coming from the same IP as the IMAP lockout.
The DC reports the IP of the mail server. netlogon logs are not showing anything for those times on any of the DC's in that site I checked them all including the one that reported as locked out on. Working backwards to the mailserver is where I see the failure with MAPI trying to login. I also enabled netlogon logging on the mail server to see that that would help but I'm not seeing anything in there either.
On DC Timestamp 4:35:02
A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: DC1$
Account Domain: MYDOMAIN
Logon ID: 0x3E7
Account That Was Locked Out:
Security ID: MYDOMAIN\joeuser
Account Name: joeuser
Additional Information:
Caller Computer Name: MAILServer
On MAILServer timestamp 4:35:02
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: MAILServer$
Account Domain: MYDOMAIN
Logon ID: 0x3E7
Logon Type: 8
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: ******@mydomain.com
Account Domain:
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A
Process Information:
Caller Process ID: 0xa8f4
Caller Process Name: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\PopImap\Microsoft.Exchange.Imap4.exe
Network Information:
Workstation Name: MAILServer
Source Network Address: -
Source Port: -
Maybe just use netstat during the time you are seeing those lockouts on the Exchange Server
If users connect directly to the server, the client IPs will show for those ports and you can start hunting that way ( hopefully not too many)
If you are using a load balancer, depending on how it configured, the original client may show or the LB IP will show.
If using a load balancer, then you can check logs there otherwise
Via PS:
netstat -na | Select-String "993"
I tried that once but not with the command you listed my version gave me over 1k connections. This one gives me about 50 so much more manageable . The question now is how do I correlate who these belong to? They are not the same and only a couple are internal. Thanks for all the assistance so far. This has been nothing but fun to try to track down (read sarcasm in the joy of it..).
The IMAP log(C:\Program Files\Microsoft\Exchange Server\V15\Logging\Imap4) could log the client IP(cIp) address for logon action.
If there log doesn't record the correct IP address(many be changed by your network tool such load balance), I think this mailbox is logged from the external of your organization, you may need to temporarily remove firewall or other intermediate equipment from your organization, then check whether the IMAP log could record the correct IP address.
The public Internet environment is more complicated. After many jumps, I think it is difficult to find the real IP address. So, if you still want to use IMAP from external of your organization, I would suggest you change the Exchange publish DNS to other record, in this way, old IMAP configuration will cannot find and connection to your Exchange server.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.