Hi,
we have a strange problem when user accounts get locked in AD. The source of lock is shown as UAG server. UAG has 1 https trunk, where OWA, ActiveSync and EWS published. Problem occurs not for all users, but for some particular.
When I check activity on TMG of UAG I can see source IP address field empty, as well as destination port =0.
User have iphone configured to connect to activesync. When phone connects I can see valid IP address of phone.
Here is TMG record for valid phone:
Log type: Web Proxy (Reverse)
Status: 0 The operation completed successfully.
Source: 94.234.170.63
Destination: -
Request:
Filter information: The user domain\user with source IP address 94.*.*.*was added to session 4F41832F9-FC0B-4CA8-89C2-62A179113DAB on trunk trunk1 (secure=1).
User: domain\user
Additional information
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 0 MIME type:
Problem record is:
Log type: Web Proxy (Reverse)Status: 0 The operation completed successfully.
Source: -
Destination: -
Request:
Filter information: User domain\user with source IP address failed to log into trunk trunk1 (secure=1) using authentication server tse with session ID B7274A43-C200-41C6-81F8-94DD9E23F31A. Error code is Logon failure: unknown user name or bad password.
User: domain\user
Additional information
Object source: (No source information is available.)
Cache info: 0x0
Processing time: 0 MIME type:
we tried to remove mail from iphone, but that doesn't help. Problem traffic is generated each 5-10 second. After 5 invalid attempts account get locked. Looks like brutforce attack, but we can't even see the source IP address....
P.S. account lockout works only for OWA and not anyhow prevent this traffic.
What to do next?
P.P.S. TMG and UAG are 2010 SP2 with latest updates.