Hi When using the New-TestCasConnectivityUser.PS1 script to create test mailboxes for OWA, ActiveSync, and Exchange Web Services connectivity monitoring, the CAS user account created by running the script gets locked out By default, ASP.net impersonation is not enabled on the RPC and RPC with Certs virtual directories for Exchange Server. This is by design. The steps below will allow SCOM to successfully use the script, but Microsoft recommends using this only in testing. In a production Exchange environment, ASP.net impersonation should not be enabled. To enable ASP.net impersonation on the RPC and RPC with Certs virtual directory, use the following steps: Go to IIS. Go to default website. Under default website, you will see the virtual directories RPC and RPC with Certs. Click on RPC. On the right youd see Authentication, double click, and click ASP.net impersonation, enable it. Repeat this process for RPC with Certs virtual directory. Restart. TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comTerence Yu TechNet Community Support

why would i want to enable it? what is using asp.net impersonation? this is only happenming on 2 accounts

these are full user accounts. they do have owa, and active sync enabled.

i checked for devices(phones and such) and neither user has any devices

that event is a logon failure. and when it happens 3 times in a row it locks the account. i have since disabled owa, and active sync on her mailbox and i am still getting the logon failures from the same place.

below is the full event EventData SubjectUserSid S-1-5-18 SubjectUserName API-EXCH-MEM$ SubjectDomainName API SubjectLogonId 0x3e7 TargetUserSid S-1-0-0 TargetUserName cmccray TargetDomainName apimem Status 0xc000006d FailureReason %%2313 SubStatus 0xc000006a LogonType 8 LogonProcessName Advapi AuthenticationPackageName Negotiate WorkstationName API-EXCH-MEM TransmittedServices - LmPackageName - KeyLength 0 ProcessId 0x142c ProcessName C:\Windows\System32\inetsrv\w3wp.exe IpAddress 108.71.151.71 IpPort 60984 i track down the ip its from and it always comes from one or another seemingly harmless ip. im not sure what to make of this one. this is the exchange server the logs are on.

Hi thanks for your update. are they test account for owa,ews ?Terence Yu TechNet Community Support

Hi Thanks for your update. I need detail of your user issue. Two user accounts are locked and you find event 4625 from event viewer. Can you find any logon failure on your server ?Terence Yu TechNet Community Support

Hi Does this client get virus ? Is logon time correct ?Terence Yu TechNet Community Support