The System Center Operations Manager Support Team Blog

This is the OpsMgr 2007 blog for the Microsoft support team. If you were looking for the SCOM 2007 or MOM 2005 blog then you are in the right place.

Event ID 4625 is logged every 5 minutes when using the Exchange 2010 Management Pack in OpsMgr 2007

Event ID 4625 is logged every 5 minutes when using the Exchange 2010 Management Pack in OpsMgr 2007

  • Comments 2
  • Likes

hotfixHere’s a heads up on a new SCOM 2007 KB article we published this morning:

Symptoms

When using the Exchange 2010 Management Pack in System Center Operations Manager 2007, you may receive a security audit failure event in the Security event log every 5 minutes. An example of the event is below:

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date:
Event ID: 4625

Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: XXX

Description:
An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Aextest_39076b2bb6ec4
Account Domain: XXXXXX

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: XXXXXX
Source Network Address: XXXXXX
Source Port: 30956

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Note that the account name will have the format Aextest_<GUID>.

Cause

The actual Exchange mailbox account used is extest_<GUID>. This extra “A” is passed on due to an issue with the Exchange Correlation Engine when Outlook Anywhere is OFF (disabled). This is the default on a new installation of Exchange 2010.

Resolution

Two possible workarounds are below:

1. Enable Outlook Anywhere (see http://technet.microsoft.com/en-us/library/cc179036.aspx).

or

2. Disable every rule that is using the Test-OutlookConnectivity Exchange 2010 Powershell CMDLet. A list of these rules can be found here: http://technet.microsoft.com/en-us/library/ee758035(EXCHG.140).aspx

More Information

This article applies to System Center Operations Manager 2007 RTM, SP1 and R2.

=====

For the most current version of this article please see the following:

2591305 : Event ID 4625 is logged every 5 minutes when using the Exchange 2010 Management Pack in System Center Operations Manager 2007

J.C. Hornbeck | System Center Knowledge Engineer

App-V Team blog: http://blogs.technet.com/appv/
AVIcode Team blog: http://blogs.technet.com/b/avicode
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
OOB Support Team blog: http://blogs.technet.com/oob/
Opalis Team blog: http://blogs.technet.com/opalis
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
OpsMgr Support Team blog: http://blogs.technet.com/operationsmgr/
SCMDM Support Team blog: http://blogs.technet.com/mdm/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

clip_image001 clip_image002

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment