7,925 questions
Failed logon attempts for Alternate Service Account
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 68%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Joseph Larrew
341
Reputation points Microsoft Employee
Hello team. I've got an interesting problem where I see event 4625 in the Security Log for my ASA. The failure reason says "Unknown user name or bad password"
Environment: Exchange 2013 CU 23, Windows Server 2012 R2, Forest + Domain functional level - 2012 R2, Load Balancers, Kerberos Authentication, No forest-to-forest trusts. Many child domains.
Issue: ASA account shows failed logon attempts in Event Viewer on the Exchange server, but not on the domain controller. It shows successful attempts on the DC, but failed attempts on the Exchange Server. NOTE: This is only happening at one site as far as I know. There are multiple ASAs. I think this is because they are using site-based namespaces and so they delegate site-specific SPNs to the site specific ASA.
Troubleshooting done so far:
- Re-rolled out ASA credentials to the site Exchange Client Access Servers. Interestingly enough, once this was done, the error being reported changed from “…using a bad password” to “…using an old password.”
- Found and removed stored credentials by running “rundll32 keymgr.dll,KRShowKeyMgr” as the local system account (done by using PSExec).
- Checked IIS and the virtual directories don't indicate any basic authentication happening
Other info: Looking at the event log, it logs event ID 4625 (more description here for this ASA with a logon type of 8, which is supposedly “NetworkCleartext,” which implies that it is having issues with IIS logins using Basic Authentication. The Authentication Package in the event log info mentions using “Negotiate” and the Logon Process is “Advapi,” so I don’t see how it would be an issue with trying to use Basic Authentication. The caller process seems to be the Exchange svchost process ($env:ExchangeInstallPath\Bin\Microsoft.Exchange.ServiceHost.exe)
Is this some sort of expected behavior? Also, my question was previous posted here
Exchange | Exchange Server | Management
{count} vote
-
Vahid Ghafarpour 23,385 Reputation points Volunteer Moderator2023-09-24T18:22:31.86+00:00 Check the Exchange server logs, including the IIS logs and Exchange-specific logs, for any error messages or patterns that could shed light on the issue. Look for authentication failures and their corresponding details.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 37%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
The Squirrel 111 Reputation points2024-02-08T20:09:17.77+00:00 Did you ever find an answer?
Sign in to comment
Sign in to answer