I've been receiving failed login attempts, no IP no username or any useful information
The server has Exchange 2013 and IIS installed. Mailbox Server (MBX) Information Store component is installed on this server.
The Exchange server is working well.
After thorough investigation , it is found that an application pool is causing this .We found this by executing the command "appcmd list wps" and matching the output with the process ID in the event log.It is found that app pool "MSExchangeServicesAppPool" is the culprit causing this failed login events.
Kindly let us know what could be the issue in the configuration that is causing this issue.
Below is the event
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVER-EXCHANGE$
Account Domain: DOMAIN
Logon ID: 0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: Account currently disabled.
Status: 0xC000006E
Sub Status: 0xC0000072
Process Information:
Caller Process ID: 0x38cc
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Network Information:
Workstation Name: SERVER-EXCHANGE
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Authz
Authentication Package: Kerberos
Transited Services: -
The server has Exchange 2013 and IIS installed. Mailbox Server (MBX) Information Store component is installed on this server.
The Exchange server is working well.
After thorough investigation , it is found that an application pool is causing this .We found this by executing the command "appcmd list wps" and matching the output with the process ID in the event log.It is found that app pool "MSExchangeServicesAppPool" is the culprit causing this failed login events.
Kindly let us know what could be the issue in the configuration that is causing this issue.
Below is the event
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: SERVER-EXCHANGE$
Account Domain: DOMAIN
Logon ID: 0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:
Failure Information:
Failure Reason: Account currently disabled.
Status: 0xC000006E
Sub Status: 0xC0000072
Process Information:
Caller Process ID: 0x38cc
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Network Information:
Workstation Name: SERVER-EXCHANGE
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Authz
Authentication Package: Kerberos
Transited Services: -