I have an AD user account that is being repeatedly and frequently locked out, I have been able to trace the lockout to the Exchange server CAS array. However I am at a loss as to how to continue the investigation. The event logs on the Exchange (2013) servers indicate the lockout was sourced from msExchangeFrontEndTransport.exe but does not indicate from what source the original auth request came from. I really would like to know any of the following (the more the better): source of auth IP/computer name, source of auth method (ie webmail, activesync, Outlook client, etc).
The event log from what I've been able to dig through does not indicate anything that would help track the origination point of the bad auth request. I'm 90% sure that I've ruled out any of the user's portable devices, as at one point we powered off all the user's devices and the lockout still occurred, this has been happening for weeks now with over 600 auth attempts per day. I've renamed the user account as a workaround, but I really want to determine where this is coming from for security purposes. This is the only account to be suffering in this way. Any ideas would be greatly appreciated!
Best Answer
Look at the IIS logs on the CAS server, which will point you in the right direction. A common problem is a user with multiple devices that try to connect with an out of date password and lock out the account. However, it could be abuse.
Log entry quoted from http://msexchangeguru.com/2012/02/01/exchange-activesync/
This shows the client IP, user name and device.