Announcement

Collapse
No announcement yet.

Confusing Logon failures

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Confusing Logon failures

    Hi everyone - bit of a confusing problem with NTLM authentication requests being sent to our customer's exchange server. Here's the setup:

    2 seperate domains - no trusts or anything. This is due to PCI compliance.

    The exchange server is the only thing accessible on Domain A, from Domain B.

    It's a big retail operation, and servers on Domain B have to send out autmoated emails to suppliers when stock levels reach a certain point.

    Bear with me...


    Servers on Domain B use an IMAP connection using Outlook Express (don't ask...) to connect to the exchange server on Domain A using the credentials of a user for that location (which have been created on Domain A) ie there's 75 branches across the UK, and each has a generic user account purely for sending these automated order emails, and are in the format DomainA\BRANCH01, DomainA\BRANCH02 etc


    We are getting thousands of failed logon attempts on the Exchange server (although I think this is confusing/irrelavant), not from the above mentioned user accounts, but from the Domain B domain administrator account (DomainB\Administrator)

    The servers have to stay logged in as the Domain B adminstrator (but locked) so various non service based processes can run, but none as far as I can see should send NTLM authentication requests to Domain A's exchange server, and Outlook express is using IMAP with the DomainA\Branch01,02,03 etc accounts...

    SO IN SHORT............................................. ...........

    Is there anyway I can trace outgoing NTLM requests on Domain B's servers - and then perhaps disable it??

    If you've made it this far into this post - well done, and thanks for your patience!

    Any ideas would be greatly appreciated.

  • #2
    Re: Confusing Logon failures

    Hi,

    Ok so Domain A and B are two different forest ? Is it?

    You getting failed logon attempts on Domain A DC from DomainB/Administrator Acc

    What is your DFL/FFL and OS [NTLM logging is different for W2K3 and W2K8]?

    In event viewer on Domain A DC does it give you computer account / IP address from where the failed logons are coming. Can you post the event? Actually if Administrator of Domain B will never be able to authenticate since there is no trust is bound to be failed.

    What is the frequency of logging ?
    Thanks & Regards
    v-2nas

    MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
    Sr. Wintel Eng. (Investment Bank)
    Independent IT Consultant and Architect
    Blog: http://www.exchadtech.blogspot.com

    Show your appreciation for my help by giving reputation points

    Comment


    • #3
      Re: Confusing Logon failures

      Hi v-2nas - thanks for replying.

      Yeah two completely separate forests.

      DomainA has 2K8 DCs and Exchange server. FFL/DFL is 2003
      DomainB servers which are forwarding the NTLM auth requests are Windows 2003. It probably doesn't matter, but the DCs are all 2K8 and FFL/DFL is 2008.

      There's between 2 and 4 requests per 2 minutes per store, although it's sometimes less. I can't see a pattern. I also can't see anything related on the server in DomainB

      Thanks again.

      Example Event below from the Exchange Server in DomainA:



      An account failed to log on.

      Subject:
      Security ID: NULL SID
      Account Name: -
      Account Domain: -
      Logon ID: 0x0

      Logon Type: 3

      Account For Which Logon Failed:
      Security ID: NULL SID
      Account Name: Administrator
      Account Domain: DomainB

      Failure Information:
      Failure Reason: Unknown user name or bad password.
      Status: 0xc000006d
      Sub Status: 0xc000006a

      Process Information:
      Caller Process ID: 0x0
      Caller Process Name: -

      Network Information:
      Workstation Name: STORE47SRV01
      Source Network Address: -
      Source Port: -

      Detailed Authentication Information:
      Logon Process: NtLmSsp
      Authentication Package: NTLM
      Transited Services: -
      Package Name (NTLM only): -
      Key Length: 0

      This event is generated when a logon request fails. It is generated on the computer where access was attempted.

      The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

      The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

      The Process Information fields indicate which account and process on the system requested the logon.

      The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

      The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

      Comment


      • #4
        Re: Confusing Logon failures

        Do the rest of us a favour and don't use that green font - can hardly read it!
        I think most readers will distinguish A and B without the colour coding
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Confusing Logon failures

          Hi,

          what this workstation STORE47SRV01 [that makes it to talk to DomainA] is running and makes it to contact Domain A. Do you see the same workstation name accross all events.

          In W2K8 NTLM logging is changed to tracing and you wouldn't require pdb files or symbol files to read the trace which is private and is with microsoft alone.

          On thing you can try is (though i am not sure about success rate) take a netmon trace on Domain A DC where you have events log and then filter for NTLM traffic
          Since NTLM is chanllenge handshake protocol you would see messages

          NTLM uses three different NTLM message types to complete a handshake for a given request. These are:

          1. NTLM Type-1 Message: This contains the hostname, the domain name, and the fact that it is a NTML request type1, to initiate the correct stage in the handshake.
          2. NTLM Type-2 Message: This contains a NTLM challenge from the server.
          3. NTLM Type-3 Message: This contains DOMAIN, USERNAME, and Workstation\Hostname.

          Then try to see from where the requests are coming.
          Thanks & Regards
          v-2nas

          MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
          Sr. Wintel Eng. (Investment Bank)
          Independent IT Consultant and Architect
          Blog: http://www.exchadtech.blogspot.com

          Show your appreciation for my help by giving reputation points

          Comment


          • #6
            Re: Confusing Logon failures

            Hi v-2nas,

            Thanks again - you're obviously very good at what you do!

            Just to answer your questions:

            No, it is all stores, so I see STORE01SRV01 all the way up to STORE75SRV01, Store 47 was just the first event I copied.

            Hmm, I was thinking about using wireshark (which is similar to netmon), but there's no NTLM requests on DomainA's DCs (in the event viewer), just the Exchange server.

            I may even do this on the STORExxSRV01 servers to see perhaps what process is generating these NTLM requests - I'm just not too sure what to look for. I'm prepared to start reading some documents on this, but if you have any experience/ideas on this it may save me some time

            Comment


            • #7
              Re: Confusing Logon failures

              Hi,

              can you post a screenshot of this?

              but there's no NTLM requests on DomainA's DCs (in the event viewer), just the Exchange server.

              do you any service particullary exchange ones trying to running under domainB Admin
              and is there any event id
              Last edited by v-2nas; 27th January 2011, 19:26.
              Thanks & Regards
              v-2nas

              MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
              Sr. Wintel Eng. (Investment Bank)
              Independent IT Consultant and Architect
              Blog: http://www.exchadtech.blogspot.com

              Show your appreciation for my help by giving reputation points

              Comment


              • #8
                Re: Confusing Logon failures

                Hi,

                I've seen that the NTLM errors occur only when Outlook Express on Domain B's servers sends or receives (ie initiates the connection to Domain A's Exchange server)

                I've tried disabling NTLM in IE, using plain text auth on the IMAP service on Exchange, Enabling/Disabling SPA in Outlook Express.

                Any other ideas on how to disable NTLM for Outlook Express?

                Thanks,

                Comment


                • #9
                  Re: Confusing Logon failures

                  Hi,

                  What is the version of your outlook express, what is client os?

                  (if it's all possible )Can you try with thunderbird ?
                  Thanks & Regards
                  v-2nas

                  MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                  Sr. Wintel Eng. (Investment Bank)
                  Independent IT Consultant and Architect
                  Blog: http://www.exchadtech.blogspot.com

                  Show your appreciation for my help by giving reputation points

                  Comment


                  • #10
                    Re: Confusing Logon failures

                    Hi v-2nas - thanks for your help.

                    Outlook Express 6, on Server 2003 (not too sure of service pack level)

                    I've narrowed it down to only be sending the NTLM requests when it sent an email. Not receiving, so I assumed it was nothing to do with IMAP, but rather SMTP.

                    I've added a relay for each of the servers on the SMTP Connector in Exchange. With a relay in place and SPA disabled the NTLM failures no longer appear!

                    Will the credentials now be passed across in plain text? I can't quite figure it out from the docs I've read?

                    Thanks

                    Comment


                    • #11
                      Re: Confusing Logon failures

                      Hi,

                      If you allow relay from your outlook express box then in case if one of your box gets compromised then it could possible send spam out of your exchange server.

                      Credentials passing in plain text would depend upon the type of setting you have choose.
                      I will configure and check in test lab and let you know.
                      Thanks & Regards
                      v-2nas

                      MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
                      Sr. Wintel Eng. (Investment Bank)
                      Independent IT Consultant and Architect
                      Blog: http://www.exchadtech.blogspot.com

                      Show your appreciation for my help by giving reputation points

                      Comment

                      Working...
                      X