Friday 8 August 2014

Troubleshoot: Exchange CAS Server is the lockout source


It is very annoying if you find an Exchange Server as a source of AD account lockout of an end user.

If it is an Exchange 2010 CAS Server, you need to further dig into the IIS logs to find the exact root cause for the lockout.

Analysing the IIS logs is itself a very time consuming task - here comes a great utility "log parser 2.2" for your rescue.

Install Log Parser on your Exchange 2010 CAS Server which has been identified as a lockout source or you can install the log parser on a member server or workstation having access to the IIS logs.

Following are a set of some useful commands which can be used to easily find the exact lockout source.

The only prerequisite is to know the exact lockout time & the source Exchange Server, so that you can open the related IIS log file having the logs of that time period.


Command to search logs for a single user, this will give detailed output of which device/application is causing lockout


Command 1
Grouped by User name & the count of attempts


Logparser "select cs-username,cs(User-Agent) AS DeviceType,sc-win32-status,TO_LOWERCASE(cs-uri-stem) AS application,STRCAT(STRCAT(TO_STRING(sc-status),'.'),TO_STRING(sc-substatus)) as HTTPstatus,Count(*) INTO 'd:\temp\logparser_output.csv' FROM 'C:\inetpub\logs\LogFiles\W3SVC1\IISLogfilename.log' WHERE TO_STRING(sc-status) LIKE '401' AND cs-username Like '%username' Group BY cs-username, DeviceType, application, HTTPstatus, sc-win32-status Order BY cs-username, DeviceType"

Note: If you are executing this command on a member server or workstation, you have to provide UNC path for IIS logs or copy the log file locally from where you are running the command.

Output of the above command will look like as given in below snapshot:







Command 2
Grouped by Date/Time

Logparser "select Date,Time,cs-username,cs(User-Agent) AS DeviceType,sc-win32-status,TO_LOWERCASE(cs-uri-stem) AS application,STRCAT(STRCAT(TO_STRING(sc-status),'.'),TO_STRING(sc-substatus)) as HTTPstatus,Count(*) INTO 'd:\temp\logparser_output.csv' FROM 'C:\inetpub\logs\LogFiles\W3SVC1\IISLogfilename.log' WHERE TO_STRING(sc-status) LIKE '401' AND cs-username Like '%username' Group BY Date,Time,cs-username, DeviceType, application, HTTPstatus, sc-win32-status Order BY cs-username, DeviceType"

Output of the above command will look like as given in below snapshot:








Understanding the Output file.

Once we have the output, the next part is to read & understand the event codes from the output report.
There are many fields in this output which are explained below:

Date/Time: This will show the date & time of the connection attempt from the client device in use by the user.

CS-Username: This will contain the Domain\Username of the user for whom we extracted this report.

DeviceType: Device type will have the device details from where the connection is being tried to be established/authenticated. It can be an Active Sync device, MS Outlook client, Web Browser with saved wrong credentials, MS Lync to retrieve calendar information.

Application: This will show the IIS Virtual directory path, you will get an idea as what exactly the source device is trying to access, as shown in the snapshots above we have a URL for Active Sync, RPC & Auto-discover.

HTTPStatus: 401.1 means that the authentication is not successful or denied.

SC-Win32-Status : 1326 means that the provided credentials were incorrect (ERROR_LOGON_FAILURE).
                                1909 means that the authentication is failed as the account is in locked state.

There are some more Sc-Win32-status status codes which you may get in the output files, refer below for some of the error status codes:-

Sc-Win32-status
1326       -              The user name or password is incorrect.
1330       -              The password for this account has expired.
1331       -              This user can't sign in because this account is currently disabled.
1909       -              The referenced account is currently locked out and may not be logged on to.

Green marked are the ones we will find in maximum cases.
Please refer the below mentioned link for a list of IIS status codes.




In the Snapshot for Command 1, Nokia E63 is the lockout source with SC-Win32-Status code as 1326,  - which points out that the device is trying to authenticate using wrong credentials and the count field shows that device tried to authenticate 27 times , user has to update the password on the device or reconfigure the Active Sync account.

In the Snapshot of Command 2, this is showing every connection attempt separately with exact date & time, any of the command can be used depending on the requirement.

Hope this article will definitely help people in fixing account lockout issues quickly.