Forum Discussion

skear1365's avatar
skear1365
Copper Contributor
Mar 11, 2023

Exchange 2016 Event 2159 ADAccess Validation Failed

We intermittently see event id 2159 generated on our Exchange 2016 Server (CU23 Jan23SU). They seem to have appeared sometime in the past month. We tend to see about 50-150 events per day. We've e...
Exchange Server
JSneade's avatar
JSneade
Copper Contributor
Jun 30, 2023
jlando This is whats made it so difficult to diagnose as March security patch came out just as our security team rolled out CS Identity Protection. @DrSchutt comment very helpful as our security team did not want to remove CS altogether and only put in exceptions.
We're still working with Microsoft over here.
swguy89's avatar
swguy89
Copper Contributor
Jul 12, 2023
We are experiencing the same exact issues. We are also running CS with the ITP module running the intergrated DC sensor.

Has anyone heard back from CS support or Microsoft on the root cause? I've since opened a support ticket with CS but still waiting on an anyalisys from them.
  • JSneade's avatar
    JSneade
    Copper Contributor
    Jul 12, 2023

    swguy89 
    We are in like round 10 of log collecting for Microsoft, however they did respond back that they think its related to to the IDP module installed on the Crowdstrike DCs.  We will be going back to our security department for testing removal of agent or allow listing Exchange traffic from monitoring.

    We had not prompted MS about suspicions of the CS IDP on the DCs.  They have come up with this through "other cases" so hopefully a solution for us all.

    • SaschaSeipp's avatar
      SaschaSeipp
      Brass Contributor
      Jul 12, 2023

      Seems we have the same issue. In our case CS Identity Protection was activated (for monitoring only, as we're still testing) on the last DCs on the same day when those Exchange problems started (mid of June in our case), so the correlation is quite strong. The general assumption, as far as I understand is that somehow the DCs seem to be overwhelmed from that CS agent traffic inspection, so somehow some packets or information get lost.
      In any case, our security engineer opened a ticket with CS, and currently we're monitoring our Exchange servers with extended logging for CS support - and we're waiting for it to happen again. It did so two times last week and not at all since Saturday..

       

      Here's a link to that issue on the CS subreddit - maybe that helps for you, too:

      https://www.reddit.com/r/crowdstrike/comments/14r3avd/identity_module_inbuilt_into_falcon_ldap_query/?utm_source=share&utm_medium=web2x&context=3 

      • skear1365's avatar
        skear1365
        Copper Contributor
        Jul 13, 2023
        I'm just now catching up on this thread, we are also using CrowdStrike Identity Protection so this all seems to make sense now.  I plan to open a support ticket with CrowdStrike to get the details on the workaround mentioned on the Reddit thread linked above. Thank you for sharing that!

Resources