Recently I was alerted that a client had a user’s Active Directory account that was being locked out continually, even within 60 seconds of the account being unlocked. Looking at the Domain Controller logs, we were able to trace where the authentication attempt was being made from–One of the ISA servers, which means that someone was trying to login to OWA with this user’s credentials, and was continually locking the account, as the password wasn’t correct.
You would have thought this would have been a simple look-it-up-in-the-logs, but looking at the ISA logs was very frustrating, as I could never find the right variable to filter on to find out where the attempts were coming from.
Well, I eventually figured out how to do it, so I wrote up a quick procedure, for posterity:
From beginning to end:
1) Find which Domain Controller is being used to authenticate the credentials (look for event 539 or 4625), and look at the logs to see which ISA server the authentication attempts are coming from.
2) Filter the target ISA logs on the following parameter:
HTTP Status Code = 1909
This is the HTTP status code that is generated when an account cannot be logged on because it is locked out. (Attempting to logon to OWA for this specific case)
3) Cross-reference the time stamps on the previous ISA lockout logs to the DC’s logs to make sure you have the right lockout logs
4) After verifying, look at the ISA lockout logs for the source IP from where the authentication attempts are coming from.
5) Nuke IP from Orbit.
-Josh
Defensive Depth 