Bluepoint Design
Practical cost effective solutions   
Event 529

Home
Up
Environment:

Microsoft Exchange server where a IMAP4 client is trying to connect. In this case an NEC phone switch with the VM integration and synchronization option enabled.

Symptoms:

The security log has numerous Event ID 529 and eventual 539 (lockout) once the retry limit is met. In this case there were several in the same second but usually it's one attempt every 62 seconds.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 1/28/2008
Time: 4:16:00 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: mike@ipsd.local
Domain:
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: IPSD
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4304
Transited Services: -
Source Network Address: -
Source Port: -
 

Above is a sample entry. The trick here is to notice that the event is coming from the server where Exchange is installed via ADVAPI. In this case process ID 4304 (can be found in the Task Manager) is "store.exe" which is the Exchange Information Store database engine. What is happening is something is trying to access data in the user's mailbox with the wrong credentials. But being that one couldn't log into Outlook or other client with the wrong password ot begin with the method is via IMAP. In this case a phone system which uses IMAP to sync voice mail messages with the user mailbox had the wrong password and was trying over and over to get in.  

 
Practical cost effective solutions