Failure in Exchange Event Log

%3CLINGO-SUB%20id%3D%22lingo-sub-1447409%22%20slang%3D%22en-US%22%3EFailure%20in%20Exchange%20Event%20Log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1447409%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20anyone%20help%20me%20with%20some%20ideas%20on%20how%20to%20track%20this%20down%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20getting%20several%20Audit%20Failures%20every%20minute%20on%20my%20Exchange%20Server.%26nbsp%3B%20This%20is%20the%20event%20log%20entry%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAn%20account%20failed%20to%20log%20on.%3C%2FP%3E%3CP%3ESubject%3A%3CBR%20%2F%3ESecurity%20ID%3A%20NULL%20SID%3CBR%20%2F%3EAccount%20Name%3A%20-%3CBR%20%2F%3EAccount%20Domain%3A%20-%3CBR%20%2F%3ELogon%20ID%3A%200x0%3C%2FP%3E%3CP%3ELogon%20Type%3A%203%3C%2FP%3E%3CP%3EAccount%20For%20Which%20Logon%20Failed%3A%3CBR%20%2F%3ESecurity%20ID%3A%20NULL%20SID%3CBR%20%2F%3EAccount%20Name%3A%20%3CNAME%20of%3D%22%22%20exchange%3D%22%22%20server%3D%22%22%3E%24%3CBR%20%2F%3EAccount%20Domain%3A%20%3CCORRECT%20domain%3D%22%22%3E%3C%2FCORRECT%3E%3C%2FNAME%3E%3C%2FP%3E%3CP%3EFailure%20Information%3A%3CBR%20%2F%3EFailure%20Reason%3A%20An%20Error%20occured%20during%20Logon.%3CBR%20%2F%3EStatus%3A%200xC000006D%3CBR%20%2F%3ESub%20Status%3A%200x0%3C%2FP%3E%3CP%3EProcess%20Information%3A%3CBR%20%2F%3ECaller%20Process%20ID%3A%200x0%3CBR%20%2F%3ECaller%20Process%20Name%3A%20-%3C%2FP%3E%3CP%3ENetwork%20Information%3A%3CBR%20%2F%3EWorkstation%20Name%3A%20%3CNAME%20of%3D%22%22%20exchange%3D%22%22%20server%3D%22%22%3E%3CBR%20%2F%3ESource%20Network%20Address%3A%20%3CCORRECT%20ip%3D%22%22%20address%3D%22%22%20of%3D%22%22%20exchange%3D%22%22%20server%3D%22%22%3E%3CBR%20%2F%3ESource%20Port%3A%206476%20%3CSEEMS%20to%3D%22%22%20be%3D%22%22%20random%3D%22%22%3E%3C%2FSEEMS%3E%3C%2FCORRECT%3E%3C%2FNAME%3E%3C%2FP%3E%3CP%3EDetailed%20Authentication%20Information%3A%3CBR%20%2F%3ELogon%20Process%3A%3CBR%20%2F%3EAuthentication%20Package%3A%20NTLM%3CBR%20%2F%3ETransited%20Services%3A%20-%3CBR%20%2F%3EPackage%20Name%20(NTLM%20only)%3A%20-%3CBR%20%2F%3EKey%20Length%3A%200%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20exchange%20server%20seems%20to%20be%20working%20okay%2C%20but%20I%20want%20to%20eliminate%20these%20failures%20but%20cannot%20track%20them%20down.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1447409%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1468187%22%20slang%3D%22en-US%22%3ERE%3A%20Failure%20in%20Exchange%20Event%20Log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1468187%22%20slang%3D%22en-US%22%3EHello%20Brent%2C%20I%20have%20seen%20this%20once%20when%20IPv6%20was%20disabled%20on%20an%20Exchange%20server.%20NTLM%20requests%20didn't%20got%20through%20after%20this%20was%20disabled.%20Is%20this%20the%20case%20on%20your%20Exchange%20server%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1469499%22%20slang%3D%22en-US%22%3ERE%3A%20Failure%20in%20Exchange%20Event%20Log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1469499%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F399562%22%20target%3D%22_blank%22%3E%40PvB91%3C%2FA%3E%26nbsp%3BHi%2C%20Thanks%20for%20your%20reply%2C%20unfortunately%20this%20is%20not%20it%20as%20IPv6%20is%20enabled.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1994521%22%20slang%3D%22en-US%22%3ERE%3A%20Failure%20in%20Exchange%20Event%20Log%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1994521%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F370869%22%20target%3D%22_blank%22%3E%40BrentStobbs%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEver%20find%20a%20solution%20to%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Can anyone help me with some ideas on how to track this down?  

 

I am getting several Audit Failures every minute on my Exchange Server.  This is the event log entry:

 

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: <Name of Exchange Server>$
Account Domain: <Correct Domain>

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC000006D
Sub Status: 0x0

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: <Name of Exchange Server>
Source Network Address: <Correct IP Address of Exchange Server>
Source Port: 6476 <Seems to be random>

Detailed Authentication Information:
Logon Process:
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

 

The exchange server seems to be working okay, but I want to eliminate these failures but cannot track them down.

4 Replies
Hello Brent, I have seen this once when IPv6 was disabled on an Exchange server. NTLM requests didn't got through after this was disabled. Is this the case on your Exchange server?

@BemmelenPatrick Hi, Thanks for your reply, unfortunately this is not it as IPv6 is enabled.

 

@BrentStobbs 

Ever find a solution to this?

No I'm afraid I haven't resolved this one yet.