question

imennodenis avatar image
0 Votes"
imennodenis asked KaelYao-MSFT commented

Outlook tries to authenticate with local user account on Exchange server

Hi!

We use Exchange 2016 with latest updates and mostly Outlook 2016 clients.
Every time Outlook starts on non-domain computer it tries to authenticate several times on Exchange server with LOCAL user account (some of my users work on non-domain computers). But Outlook actually works fine. Have no idea why does it try to authenticate with Local username. I have checked that users have no wrong usernames and passwords saved in credentials manager.
I can see 4625 and 4776 Events in Audit failure logs on Exchange server.

4625 Example:

 An account failed to log on.
 Subject:
  Security ID: NULL SID
  Account Name: -
  Account Domain: -
  Logon ID: 0x0
 Logon Type: 3
 Account For Which Logon Failed:
  Security ID: NULL SID
  Account Name: <user name>
  Account Domain: .
 Failure Information:
  Failure Reason: Unknown user name or bad password.
  Status: 0xC000006D
  Sub Status: 0xC0000064
 Process Information:
  Caller Process ID: 0x0
  Caller Process Name: -
 Network Information:
  Workstation Name: DESKTOP-XXXXXX
  Source Network Address: 111.111.111.111
  Source Port: 2605
 Detailed Authentication Information:
  Logon Process: NtLmSsp 
  Authentication Package: NTLM
  Transited Services: -
  Package Name (NTLM only): -
  Key Length: 0


4776 example:

 The computer attempted to validate the credentials for an account.
    
 Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon Account: <user name>
 Source Workstation: DESKTOP-XXXXXX
 Error Code: 0xC0000064


I'm using IPBan software and those attempts cause legal ip addresses blockings.

Can anyone help?

office-outlook-itprooffice-exchange-server-connectivity
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

KaelYao-MSFT avatar image
0 Votes"
KaelYao-MSFT answered KaelYao-MSFT commented

Hi @DenisA-1339

Does this issue happen on all devices outside the domain? Or it just happens on a few of them?

I noticed that in the event 4625, the source port shows 2605.
It seems not a regular port used by Outlook.

Could you verify if source ports in the events show the same port?
If it is the same port, please have a check what process on the device is using this port.


If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

We have not so much non-domain devices, maybe 10-20. It seems that it happens on most of them.
Source port is different each time. I have also tried TCPView on client PC and I couldn't find that port number. But I think its expected, because Internet Provider's NAT or Port Forwarding on my router is causing port changing.
Using TCPView I can see only Outlook.exe and svchost.exe (BITS service) connections to Exchange Server's public IP on port 443.

0 Votes 0 ·

Hi,

Thanks for the update!

If you create a new windows account on the device and use Outlook to login to Exchange, would there also be some 4625 events generated?
And will the "Account Name" field show the new account name?

In addition, do you have some add-ins in Outlook?
If any, please also run in safe mode (type Outlook.exe /safe in Run) to see if it is the cause.

0 Votes 0 ·

Yes, those events are also generated. I have tried to configure absolutely clean Outlook (latest version with Office 365 subscription) on my home PC. Outlook was never configured with my corporate Exchange server there before. And yes, I could see those events on Exchange server with my home account name. At the same time Outlook connects to corporate Exchange and works just fine. I can see no errors on my Home PC.
Outlook has no addins, just default ones.
I have not tried outlook in safe mode yet, I will do it later.

0 Votes 0 ·
Show more comments