Forum Discussion

skear1365's avatar
skear1365
Copper Contributor
Mar 11, 2023

Exchange 2016 Event 2159 ADAccess Validation Failed

We intermittently see event id 2159 generated on our Exchange 2016 Server (CU23 Jan23SU). They seem to have appeared sometime in the past month. We tend to see about 50-150 events per day. We've e...
Exchange Server
JSneade's avatar
JSneade
Copper Contributor
Jul 12, 2023

swguy89 
We are in like round 10 of log collecting for Microsoft, however they did respond back that they think its related to to the IDP module installed on the Crowdstrike DCs.  We will be going back to our security department for testing removal of agent or allow listing Exchange traffic from monitoring.

We had not prompted MS about suspicions of the CS IDP on the DCs.  They have come up with this through "other cases" so hopefully a solution for us all.

SaschaSeipp's avatar
SaschaSeipp
Brass Contributor
Jul 12, 2023

Seems we have the same issue. In our case CS Identity Protection was activated (for monitoring only, as we're still testing) on the last DCs on the same day when those Exchange problems started (mid of June in our case), so the correlation is quite strong. The general assumption, as far as I understand is that somehow the DCs seem to be overwhelmed from that CS agent traffic inspection, so somehow some packets or information get lost.
In any case, our security engineer opened a ticket with CS, and currently we're monitoring our Exchange servers with extended logging for CS support - and we're waiting for it to happen again. It did so two times last week and not at all since Saturday..

 

Here's a link to that issue on the CS subreddit - maybe that helps for you, too:

https://www.reddit.com/r/crowdstrike/comments/14r3avd/identity_module_inbuilt_into_falcon_ldap_query/?utm_source=share&utm_medium=web2x&context=3 

  • skear1365's avatar
    skear1365
    Copper Contributor
    Jul 13, 2023
    I'm just now catching up on this thread, we are also using CrowdStrike Identity Protection so this all seems to make sense now.  I plan to open a support ticket with CrowdStrike to get the details on the workaround mentioned on the Reddit thread linked above. Thank you for sharing that!
    • SaschaSeipp's avatar
      SaschaSeipp
      Brass Contributor
      Dec 11, 2023

      In case anyone stumbles upon this thread and misses the ending.. ;-):

      Apparently Crowdstrike somehow has fixed the issue by "automatically identifying the Exchange servers" and not doing for them what they do for/with the other servers. This has already happened some months ago, I just forgot to get back to this thread here. Since then, we had no more issues.

      • h1ckman's avatar
        h1ckman
        Copper Contributor
        Dec 11, 2023

        SaschaSeipp So they closed your ticket with CrowdStrike?  Is there an CS article about this or the resolution documented on their site?