How to Filter & Cross-Reference ISA logs for OWA Account Lockouts

Recently I was alerted that a client had a user’s Active Directory account that was being locked out continually, even within 60 seconds of the account being unlocked. Looking at the Domain Controller logs, we were able to trace where the authentication attempt was being made from–One of the ISA servers, which means that someone was trying to login to OWA with this user’s credentials, and was continually locking the account, as the password wasn’t correct.

You would have thought this would have been a simple look-it-up-in-the-logs, but looking at the ISA logs was very frustrating, as I could never find the right variable to filter on to find out where the attempts were coming from.

Well, I eventually figured out how to do it, so I wrote up a quick procedure, for posterity:

From beginning to end:

1) Find which Domain Controller is being used to authenticate the credentials (look for event 539 or 4625), and look at the logs to see which ISA server the authentication attempts are coming from.

2) Filter the target ISA logs on the following parameter:

HTTP Status Code = 1909

This is the HTTP status code that is generated when an account cannot be logged on because it is locked out. (Attempting to logon to OWA for this specific case)

3) Cross-reference the time stamps on the previous ISA lockout logs to the DC’s logs to make sure you have the right lockout logs

4) After verifying, look at the ISA lockout logs for the source IP from where the authentication attempts are coming from.

5) Nuke IP from Orbit.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

search previous next tag category expand menu location phone mail time cart zoom edit close