I had this happen recently and solved it by digging through the IIS logs on the CAS. After going through and finding the entries for a username, I saw that the useragent was different for some requests and it turned out that this user had setup the windows mail app and forgot about it when changing his password.
Just an idea, IIS logs may be of use if you haven't looked there already. Matthew Topper From: [email protected] [mailto:[email protected]] On Behalf Of Jason Benway Sent: Tuesday, November 11, 2014 3:50 PM To: [email protected] Subject: [Exchange] Account lockout from CAS We have a handful of users getting their accounts locked out multiple times a day. We've looked the security logs on the CAS and can see the external IPs locking these account, in some cases the external IP changes daily. We've removed all activesync partnerships and I tried disabling OWA and activesync access on these accounts, but they are still getting locked from outside. Anything else I can look for or at before we go the extreme route and change their username? Does removing the partnership remove the username password from the mobile device or does it just keep trying to sync? Does blocking OWA and activesync for the user, still allow someone to browse to the OWA site enter the username and then keep entering a bad password to lock the account? This is Exchange 2010. Thanks,jb Jason Benway Infrastructure Manager 616-850-1208 fax www.jsjcorp.com<http://www.jsjcorp.com> [cid:[email protected]] JSJ Corporation 700 Robbins Road Grand Haven, MI 49417 ________________________________ This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
