Exchange Experts,
I can't eliminate an 'account failed to log on' audit caused by exchange's TLS auth mechanism. Everytime I get an email delivered to the server via our receive connector, the server tries to match the sender's cert using NTLM (I think).
I can't fix it regardless of the security options I select on the receive connector. It looks like exchange's TLS is trying to map the sending server's certificate to a machine or system account, which won't work. It must be a built in mechanism of Windows TLS?
Can anyone help get this to stop trying to match it to system accounts or point me in the right direction?
EDIT: Environment: Server 2019, Exchange 2019 CU8
References
AUDIT LOG ENTRY ON EXCHANGE SERVER
An account failed to log on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name:
Account Domain:Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0x80090325Process Information:
Caller Process ID: 0x0
Caller Process Name: -Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -Detailed Authentication Information:
Logon Process: Schannel
Authentication Package: Microsoft Unified Security Protocol Provider
Transited Services: -
Package Name (NTLM only): -
Key Length: 0This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
SCHANNEL LOG IN SYSTEM LOG
The certificate received from the remote client application was not successfully mapped to a client system account. The error code is 0xC000006D. This is not necessarily a fatal error, as the server application may still find the certificate acceptable.
System Log / Source schannel / Event ID 36879
EXCHANGE RECEIVE CONNECTOR SETTINGS
RunspaceId : 84e2514a-91f6-4fee-ab6f-3acfe6e4edb8
AuthMechanism : Tls
Banner :
BinaryMimeEnabled : True
Bindings : {[::]:25, 0.0.0.0:25}
ChunkingEnabled : True
DefaultDomain :
DeliveryStatusNotificationEnabled : True
EightBitMimeEnabled : True
SmtpUtf8Enabled : True
BareLinefeedRejectionEnabled : False
DomainSecureEnabled : True
EnhancedStatusCodesEnabled : True
LongAddressesEnabled : False
OrarEnabled : False
SuppressXAnonymousTls : False
ProxyEnabled : False
AdvertiseClientSettings : False
Fqdn : mail.c3.%MyFQDM%.com
ServiceDiscoveryFqdn :
TlsCertificateName : <I>CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester,
C=GB<S>CN=mail.c3.%MyFQDM%.com
Comment :
Enabled : True
ConnectionTimeout : 00:10:00
ConnectionInactivityTimeout : 00:05:00
MessageRateLimit : Unlimited
MessageRateSource : IPAddress
MaxInboundConnection : 5000
MaxInboundConnectionPerSource : 20
MaxInboundConnectionPercentagePerSource : 2
MaxHeaderSize : 256 KB (262,144 bytes)
MaxHopCount : 60
MaxLocalHopCount : 12
MaxLogonFailures : 3
MaxMessageSize : 36 MB (37,748,736 bytes)
MaxProtocolErrors : 5
MaxRecipientsPerMessage : 200
PermissionGroups : AnonymousUsers
PipeliningEnabled : True
ProtocolLoggingLevel : Verbose
RemoteIPRanges : {65.55.88.0/24, 94.245.120.64/26, 207.46.51.64/26, 207.46.163.0/24, 213.199.154.0/24, 213.199.180.128/26,
2a01:111:f400:7c00::/54, 23.103.132.0/22, 23.103.136.0/21, 104.47.0.0/17, 23.103.198.0/23, 23.103.200.0/21,
2a01:111:f400:fc00::/54, 65.55.169.0/24, 134.170.140.0/24, 134.170.171.0/24...}
RequireEHLODomain : False
RequireTLS : True
EnableAuthGSSAPI : False
ExtendedProtectionPolicy : None
LiveCredentialEnabled : False
TlsDomainCapabilities : {mail.protection.outlook.com:AcceptCloudServicesMail}
Server : C3-CARM-EXCH
TransportRole : FrontendTransport
RejectReservedTopLevelRecipientDomains : False
RejectReservedSecondLevelRecipientDomains : False
RejectSingleLabelRecipientDomains : False
AcceptConsumerMail : False
SizeEnabled : Enabled
TarpitInterval : 00:00:05
AuthTarpitInterval : 00:00:05
MaxAcknowledgementDelay : 00:00:30
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Default Frontend C3-CARM-EXCH
DistinguishedName : CN=Default Frontend C3-CARM-EXCH,CN=SMTP Receive Connectors,CN=Protocols,CN=C3-CARM-EXCH,CN=Servers,CN=Exchange
Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=C3,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=C3,DC=%MyFQDM%,DC=LOCAL
Identity : C3-CARM-EXCH\Default Frontend C3-CARM-EXCH
Guid : ccd41531-2e07-4158-b033-c8e0a2e82aa7
ObjectCategory : C3.%MyFQDM%.LOCAL/Configuration/Schema/ms-Exch-Smtp-Receive-Connector
ObjectClass : {top, msExchSmtpReceiveConnector}
WhenChanged : 3/19/2021 11:42:50 AM
WhenCreated : 2/28/2021 5:07:17 PM
WhenChangedUTC : 3/19/2021 3:42:50 PM
WhenCreatedUTC : 2/28/2021 10:07:17 PM
OrganizationId :
Id : C3-CARM-EXCH\Default Frontend C3-CARM-EXCH
OriginatingServer : C3-CARM-DC.C3.%MyFQDM%.LOCAL
IsValid : True
ObjectState : Unchanged
SMTP PROTOCOL LOG
220 mail.c3.%MyFQDN%.com Microsoft ESMTP MAIL Service ready at Fri, 19 Mar 2021 11:34:52 -0400
EHLO NAM04-CO1-obe.outbound.protection.outlook.com
250 mail.c3.%MyFQDN%.com Hello [104.47.45.54] SIZE 37748736 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS 8BITMIME BINARYMIME CHUNKING SMTPUTF8
STARTTLS
220 2.0.0 SMTP server ready
CN=mail.c3.%MyFQDN%.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB 0083FCA8E4520287D092B34DFB87FC2C6C 6185A6B241DE02FCD5DEAA247130D947F912D04F 2020-04-14T20:00:00.000Z 2022-07-17T20:00:00.000Z mail.c3.%MyFQDN%.com;autodiscover.%MyFQDN%.com;www.%MyFQDN%.com Sending certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names
CN=mail.protection.outlook.com, O=Microsoft Corporation, L=Redmond, S=Washington, C=US CN=DigiCert Cloud Services CA-1, O=DigiCert Inc, C=US 0700204CC3051A9ED4F65599C48E742C 5D440E75FE29C4D5A223314BB0EC1DCBEB1A0903 2021-02-05T19:00:00.000Z 2022-02-05T18:59:59.000Z mail.protection.outlook.com;.mail.eo.outlook.com;.mail.protection.outlook.com;mail.messaging.microsoft.com;outlook.com;.olc.protection.outlook.com;.pamx1.hotmail.com Remote certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names
TLS protocol SP_PROT_TLS1_2_SERVER negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384 with strength 0 bits and key exchange algorithm CALG_ECDH_EPHEM with strength 384 bits
EHLO NAM04-CO1-obe.outbound.protection.outlook.com
CN=mail.protection.outlook.com, O=Microsoft Corporation, L=Redmond, S=Washington, C=US CN=DigiCert Cloud Services CA-1, O=DigiCert Inc, C=US 0700204CC3051A9ED4F65599C48E742C 5D440E75FE29C4D5A223314BB0EC1DCBEB1A0903 2021-02-05T19:00:00.000Z 2022-02-05T18:59:59.000Z mail.protection.outlook.com;.mail.eo.outlook.com;.mail.protection.outlook.com;mail.messaging.microsoft.com;outlook.com;.olc.protection.outlook.com;.pamx1.hotmail.com Validated received certificate (cached) Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names
TlsDomainCapabilities='AcceptCloudServicesMail'; Status='Success'; Domain='mail.protection.outlook.com'
SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders Set Session Permissions
250 mail.c3.%MyFQDN%.com Hello [104.47.45.54] SIZE 37748736 PIPELINING DSN ENHANCEDSTATUSCODES 8BITMIME BINARYMIME CHUNKING SMTPUTF8 XOORG
MAIL FROM:<ccandia@%MyFQDN%.com> SIZE=33012 XOORG=%MyFQDN%.com
SMTPAcceptAnyRecipient SMTPAcceptAuthoritativeDomainSender BypassAntiSpam BypassMessageSizeLimit Granted Mail Item Permissions
08D8EAE82C60FCAA;2021-03-19T15:34:53.220Z;1 receiving message
RCPT TO:<tkickass@%MyFQDN%.com>
250 2.1.0 Sender OK
250 2.1.5 Recipient OK
BDAT 22895 LAST
Set mail item OORG to '%MyFQDN%.com' based on 'MAIL FROM:'
Proxy destination(s) obtained from OnProxyInboundMessage event. Correlation Id:ddffa6c1-5c87-43e1-aea4-2e6f2dff102b
250 2.6.0 <DM6PR10MB3163472928DF2ABFA297AF61B9689@DM6PR10MB3163.namprd10.prod.outlook.com> [InternalId=1679332212747, Hostname=C3-CARM-EXCH.C3.%MyFQDN%.LOCAL] 24433 bytes in 0.147, 161.380 KB/sec Queued mail for delivery
QUIT
221 2.0.0 Service closing transmission channel
What Microsoft says about it:
dn786445(v=ws.11)


