event 4625, type 8, account locking
Hi
When using the New-TestCasConnectivityUser.PS1 script to create test mailboxes for OWA, ActiveSync, and Exchange Web Services connectivity monitoring, the CAS user account created by running the script gets locked out
By default, ASP.net impersonation is not enabled on the RPC and RPC with Certs virtual directories for Exchange Server. This is by design.
The steps below will allow SCOM to successfully use the script, but Microsoft recommends using this only in testing. In a production Exchange environment, ASP.net impersonation should not be enabled.
To enable ASP.net impersonation on the RPC and RPC with Certs virtual directory, use the following steps:
Go to IIS.
Go to default website.
Under default website, you will see the virtual directories RPC and RPC with Certs.
Click on RPC. On the right youd see Authentication, double click, and click ASP.net impersonation, enable it.
Repeat this process for RPC with Certs virtual directory.
Restart.
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comTerence Yu
TechNet Community Support
August 25th, 2012 4:10am
why would i want to enable it? what is using asp.net impersonation? this is only happenming on 2 accounts
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2012 11:01am
these are full user accounts. they do have owa, and active sync enabled.
August 25th, 2012 11:40am
i checked for devices(phones and such) and neither user has any devices
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2012 11:41am
that event is a logon failure. and when it happens 3 times in a row it locks the account. i have since disabled owa, and active sync on her mailbox and i am still getting the logon failures from the same place.
August 25th, 2012 12:12pm
below is the full event
EventData
SubjectUserSid
S-1-5-18
SubjectUserName
API-EXCH-MEM$
SubjectDomainName
API
SubjectLogonId
0x3e7
TargetUserSid
S-1-0-0
TargetUserName
cmccray
TargetDomainName
apimem
Status
0xc000006d
FailureReason
%%2313
SubStatus
0xc000006a
LogonType
8
LogonProcessName
Advapi
AuthenticationPackageName
Negotiate
WorkstationName
API-EXCH-MEM
TransmittedServices
-
LmPackageName
-
KeyLength
0
ProcessId
0x142c
ProcessName
C:\Windows\System32\inetsrv\w3wp.exe
IpAddress
108.71.151.71
IpPort
60984
i track down the ip its from and it always comes from one or another seemingly harmless ip. im not sure what to make of this one. this is the exchange server the logs are on.
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2012 4:34pm
Hi
thanks for your update. are they test account for owa,ews ?Terence Yu
TechNet Community Support
August 25th, 2012 8:10pm
Hi
Thanks for your update. I need detail of your user issue.
Two user accounts are locked and you find event 4625 from event viewer.
Can you find any logon failure on your server ?Terence Yu
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2012 9:16pm
Hi
Does this client get virus ? Is logon time correct ?Terence Yu
TechNet Community Support
August 25th, 2012 9:36pm