Tracking Down Malformed Logon Attempts

Brad Story 1 Reputation point
2022-08-26T13:56:10.9+00:00

I've been getting failed login messages on my DC (via Exchange server) that I'm trying to track down. This is ONLY coming from iOS devices. The logon username is malformed causing the failure message, and NOT causing a user lockout. The malformed user is in the form of domain\user@keyman where the domain is the internal domain name. The workstation is always WORKSTATION (not a device on the domain).
The only strange part is in the ActivSync logs, a ResponseBody: [No XMLResponse] for what appears to be a query for AirSyncBase.
We utilize VMWare Workspace One using Boxer for email in case that is relevant.

Anyone have any insights?
Thanks!

Logs from the affected servers for those events:
From Exchange:
08/23 13:20:46 [LOGON] [32520] SamLogon: Network logon of Conseco\jsmith@Conseco.COM from WORKSTATION Entered
08/23 13:20:46 [CRITICAL] [32520] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
08/23 13:20:46 [LOGON] [32520] SamLogon: Network logon of Conseco\jsmith@Conseco.COM from WORKSTATION Returns 0xC0000064

From DC:
08/23 13:20:46 [LOGON] [10664] Conseco: SamLogon: Transitive Network logon of Conseco\jsmith@Conseco.COM from WORKSTATION (via EXCHANGE02) Entered
08/23 13:20:46 [LOGON] [10664] Calling LsaIFilterInboundNamespace for TrustName:'(null)' Flags:0x0 MsvAvNbDomainName:'Conseco' MsvAvDnsDomainName:'Conseco.COM'
08/23 13:20:46 [LOGON] [10664] LsaIFilterInboundNamespace succeeded - FilterInboundNamespaceSucceeded
08/23 13:20:46 [LOGON] [10664] Conseco: SamLogon: Transitive Network logon of Conseco\jsmith@Conseco.COM from WORKSTATION (via EXCHANGE02) Returns 0xC0000064

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,108 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,341 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Brad Story 1 Reputation point
    2022-08-30T12:36:00.85+00:00

    The issue is happening from all IOS devices, this is just one example. Android devices do not show the problem.

    We are utilizing VMWare Workspace One for our MDM, but there are no problems on that side according to the logging from their platform.

    It just strange how is always domain\user@keyman .com from workstation.

    Thanks!


  2. Limitless Technology 39,341 Reputation points
    2022-09-01T07:26:34.187+00:00

    Hello there,

    Try enabling auditing for logon failure.

    Logon to your domain controller with administrative privileges and launch the Group Policy Management console.

    Right-click the appropriate Group Policy Object linked to the Domain Controllers container and select Edit.

    Expand the Computer Configuration → Windows Setting → Security Settings → Local Policies → Audit Policy node.

    Configure audit policies as follows:

    Account Management: Success

    Audit account logon events: Failure

    Audit logon events: Failure

    -------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

  3. Brad Story 1 Reputation point
    2022-09-01T11:53:50.373+00:00

    Thanks for the suggestion, we have those policies enabled, and the log entries are from enabling debug NetLogon logging. I've also pulled debug logging from the ActiveSync device with no clues as to where the malformed logins are originating.

    0 comments No comments