Wednesday, November 12, 2014

Update: Locked accounts

This post is related to a previous post.

We have recently been receiving several incidents regarding accounts that are getting locked out. Our Service Desk and Desktop team have been unable to find the cause and so they escalated to us. Following the log trail we have found that this devices are normally getting locked out in our CAS server. This was easy enough to be determined by using a Microsoft tool called Lockoutstatus; however, we had been unable to determine exactly what was causing them to get locked out in the CAS server and we would simply inform the user that their account was getting locked out by a smart device using ActiveSync. 

I recently found in this article though that there is a way to figure out what the device exactly is causing the issue by looking at the IIS logs in the CAS Server. The article explains in detail what the log looks like, and what each field means. 

I'll try to provide a bit of a summary, but please visit the full article for more details. 

The logs can be found in the following locations:

  • In Windows Server 2003: C:\WINDOWS\system32\LogFiles
  • In Windows Server 2008: C:\inetpub\logs\LogFiles\W3SVC1
  • In Windows Server 2012: I believe it should be the same but since we don't have a CAS server on a 2012 machine I wasn't able to confirm.

Here is the example provided, and I'll try to break it down as I understood it:

2012-01-10 14:42:26 POST /Microsoft-Server-ActiveSync/default.eas User=ratishnair&DeviceId=Appl8xxxxx4S&DeviceType=iPhone&Cmd=FolderSync&Log=PrxFrom: 443 CONTOSO\CAS01$ 503 0 0 765

  • : The IP address of where the command was sent to.
  • POST : The type of command that was issued on the Log.
  • /Microsoft-Server-ACtiveSync/ : States that the type of command is ActiveSync.
  • Default.eas : States the ActiveSync policy - this might vary depending on your settings.
  • User= : The username who is running the command.
  • DeviceID= : The ID that was assigned to the ActiveSync Device by the Exchange server when it was first setup. 
  • DeviceType= : The Device Model - We've been using this to point the users to their device having issues.
  • Apple-Iphone3C1/901.405 : The device's firmware version.
  • 503 : This is the error code, which can be any of the ones found below:
    • 200 – Authentication pass
    • 400 – Bad/invalid request
    • 401 and 403 – Unauthorized/server refusing request
    • 404  – File not found
    • 449 – Retry
    • 500 – Server error
    • 503 – Service unavailable
  • 0 0 765 : I'm not 100% sure what this part means; however, the last 3 digits appear to change from log to log. I'm doing further research on this.
Well I hope this might help you troubleshoot this type of issues! I know it will help us a lot, and I am even thinking about allowing the Service Desk read access to this logs, though our Exchange admins aren't too fond of the idea, yet.