Forum Discussion

skear1365's avatar
skear1365
Copper Contributor
Mar 11, 2023

Exchange 2016 Event 2159 ADAccess Validation Failed

We intermittently see event id 2159 generated on our Exchange 2016 Server (CU23 Jan23SU). They seem to have appeared sometime in the past month. We tend to see about 50-150 events per day. We've e...
Exchange Server
jlando's avatar
jlando
Copper Contributor
Jun 30, 2023

DrShuttronenu and h1ckman - Any chance you guys are using (or in the process of rolling out) CS Identity Protection?  DrShutt's comment about LDAP queries being changed has me wondering if CS Identity Protection isn't passing those queries through correctly.

JSneade's avatar
JSneade
Copper Contributor
Jun 30, 2023
jlando This is whats made it so difficult to diagnose as March security patch came out just as our security team rolled out CS Identity Protection. @DrSchutt comment very helpful as our security team did not want to remove CS altogether and only put in exceptions.
We're still working with Microsoft over here.
  • swguy89's avatar
    swguy89
    Copper Contributor
    Jul 12, 2023
    We are experiencing the same exact issues. We are also running CS with the ITP module running the intergrated DC sensor.

    Has anyone heard back from CS support or Microsoft on the root cause? I've since opened a support ticket with CS but still waiting on an anyalisys from them.
    • JSneade's avatar
      JSneade
      Copper Contributor
      Jul 12, 2023

      swguy89 
      We are in like round 10 of log collecting for Microsoft, however they did respond back that they think its related to to the IDP module installed on the Crowdstrike DCs.  We will be going back to our security department for testing removal of agent or allow listing Exchange traffic from monitoring.

      We had not prompted MS about suspicions of the CS IDP on the DCs.  They have come up with this through "other cases" so hopefully a solution for us all.

      • SaschaSeipp's avatar
        SaschaSeipp
        Brass Contributor
        Jul 12, 2023

        Seems we have the same issue. In our case CS Identity Protection was activated (for monitoring only, as we're still testing) on the last DCs on the same day when those Exchange problems started (mid of June in our case), so the correlation is quite strong. The general assumption, as far as I understand is that somehow the DCs seem to be overwhelmed from that CS agent traffic inspection, so somehow some packets or information get lost.
        In any case, our security engineer opened a ticket with CS, and currently we're monitoring our Exchange servers with extended logging for CS support - and we're waiting for it to happen again. It did so two times last week and not at all since Saturday..

         

        Here's a link to that issue on the CS subreddit - maybe that helps for you, too:

        https://www.reddit.com/r/crowdstrike/comments/14r3avd/identity_module_inbuilt_into_falcon_ldap_query/?utm_source=share&utm_medium=web2x&context=3 

Resources