Event ID 4625 is logged every 5 minutes when using the Exchange 2010 Management Pack in OpsMgr 2007

hotfixHere’s a heads up on a new SCOM 2007 KB article we published this morning:

Symptoms

When using the Exchange 2010 Management Pack in System Center Operations Manager 2007, you may receive a security audit failure event in the Security event log every 5 minutes. An example of the event is below:

Log Name: SecuritySource: Microsoft-Windows-Security-AuditingDate:
Event ID: 4625Task Category: LogonLevel: InformationKeywords: Audit FailureUser: N/AComputer: XXXDescription: An account failed to log on. Subject: Security ID: NULL SIDAccount Name: - Account Domain: - Logon ID: 0x0Logon Type: 3Account For Which Logon Failed: Security ID: NULL SIDAccount Name: Aextest_39076b2bb6ec4Account Domain: XXXXXXFailure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006dSub Status: 0xc0000064Process Information: Caller Process ID: 0x0Caller Process Name: - Network Information: Workstation Name: XXXXXXSource Network Address: XXXXXXSource Port: 30956Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLMTransited Services: - Package Name (NTLM only): - Key Length: 0

Note that the account name will have the format Aextest_ <GUID> .

Cause

The actual Exchange mailbox account used is extest_ <GUID> . This extra “A” is passed on due to an issue with the Exchange Correlation Engine when Outlook Anywhere is OFF (disabled). This is the default on a new installation of Exchange 2010.

Resolution

Two possible workarounds are below:

1. Enable Outlook Anywhere (see https://technet.microsoft.com/en-us/library/cc179036.aspx).

or

2. Disable every rule that is using the Test-OutlookConnectivity Exchange 2010 Powershell CMDLet. A list of these rules can be found here: https://technet.microsoft.com/en-us/library/ee758035(EXCHG.140).aspx

More Information

This article applies to System Center Operations Manager 2007 RTM, SP1 and R2.

=====

For the most current version of this article please see the following:

2591305 : Event ID 4625 is logged every 5 minutes when using the Exchange 2010 Management Pack in System Center Operations Manager 2007

J.C. Hornbeck | System Center Knowledge Engineer

App-V Team blog: https://blogs.technet.com/appv/
AVIcode Team blog: https://blogs.technet.com/b/avicode
ConfigMgr Support Team blog: https://blogs.technet.com/configurationmgr/
DPM Team blog: https://blogs.technet.com/dpm/
MED-V Team blog: https://blogs.technet.com/medv/
OOB Support Team blog: https://blogs.technet.com/oob/
Opalis Team blog: https://blogs.technet.com/opalis
Orchestrator Support Team blog: https://blogs.technet.com/b/orchestrator/
OpsMgr Support Team blog: https://blogs.technet.com/operationsmgr/
SCMDM Support Team blog: https://blogs.technet.com/mdm/
SCVMM Team blog: https://blogs.technet.com/scvmm
Server App-V Team blog: https://blogs.technet.com/b/serverappv
Service Manager Team blog: https://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: https://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: https://blogs.technet.com/sus/

clip_image001 clip_image002