Event ID 4625 does not show Source Network Address when caller process is EdgeTransport.exe

Greetings, I have been researching this problem for a better part of the day and have not found any definitive answer regarding what I am trying to accomplish.

When a bad password attempt is logged on Our Exchange 2010 Version 14.3 server, an entry is created in the Security event log which indicates the caller process, workstation name, and source network address. I have found that OWA and Activesync password failures will show that the caller process is W3WP.exe and indicate the source address that the bad password was attempted from.

I am troubleshooting a user account which is locking out sporadically, and have not been able to find much information regarding how to log verbose details of bad password attempts from edgetransport.exe to the event viewer. Most of the suggestions I see state that an IDS in front of our mail server is the solution. I understand that in this scenario I would be able to correlate time stamps of the bad password attempts in our domain controllers netlogon.log with the source addresses attempting to connect. However at this point in time I am unable to implement such a device.

I am simply looking for a way to determine the source address of failed logon attempts from edgetransport.exe. Was this designed in such a way that what I am trying to accomplish is impossible? If so I am open to any other suggestions from the community regarding how I can track this down.

Thanks for re

June 25th, 2015 6:22pm

Hi,

Have you seen this thread?

https://social.technet.microsoft.com/Forums/office/en-US/16f97e78-aac5-4baf-9b81-7b5e3a32a3bf/event-id-4625?forum=winserverNAP

Its by design. I searched around and checked the event viewer in my lab, I found that I have many the same events as yours.

Best Re

Free Windows Admin Tool Kit Click here and download it now
June 26th, 2015 3:26am

Hi Lynn-Li, 

Respectfully I am going to disagree with that statement. I have many other Event ID 4625 entries which indicate different caller process names. All of those events are able to gather the source network address and other verbose details. My problem is specifically when the caller process name is EdgeTransport.exe.

The link you posted did not have any mention of this process name, nor was it the same problem that I was having. I see that there was a link to a KB article/hotfix within that forum post, however it was not the same problem that I am experiencing.

I appreciate your input. If there is any more information I can provide please let me know and I will share what I am able to disclose.

Cheers.

June 26th, 2015 10:41am

I am hoping that there is an Exchange Server expert who will be available to weigh in on this matter. 

We have come to understand that the EdgeTransport service handles all SMTP traffic, however I have not found any resources which list the different ways that this service accepts connections. If anyone knows how to attempt login to an exchange server which will use EdgeTransport.exe I would be grateful to know. 

Many others have had the same question, and the only feasible suggestions I have seen are to install an IDS/IPS in front of the Exchange Server and use drop rules to block connections which fail to authenticate X amount of times. We are exploring this option now since I have not been able to determine the source of the login attempts.

I will be sure to update this thread with any information I have regarding a resolution in hopes that it will help someone else.

Free Windows Admin Tool Kit Click here and download it now
July 9th, 2015 2:38pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics