none
Exchange 2013 OWA: why no 'Post','401' IIS log when OWA login failed RRS feed

  • Question

  • Hi,

    I had made some failed login on the OWA of Exchange 2013, but I could not find any IIS log with the kewords 'Post','401' and my user name. Is the log form has been changed? Or this is a bug for Exchange 2013 OWA?

    My environment:

    Exchange 2013

    Windows server 2012

    IIS 8.0

    By the way, I had done some tests on Exchange 2010 OWA, and I could find these logs I want.


    Msts.cn@Outlook.com

    Wednesday, October 16, 2013 7:34 AM

Answers

  • Well, I just started up my E2013 server, and I see the same thing here. They have changed the 401 to a 302. I actually think that makes more sense, since returning a 401 implies that the not-yet-logged-on user doesn't have permission to post credentials to the authenticating module, which is sort of nonsensical.

    But yes, it does mean that you can't tell the difference between a nonexistent username attempt, and a simple incorrect password. Although it may be possible to get this from the Event Logs. I've no idea how you do that, though, but there is a chance that turning on a high level of security auditing would do it.

    I don't know if you can get a confirmation from MS. Some of the MS Exchange devs post in this forum, so it might be worth asking a very specific question about this apparent change. Some of the devs also have blogs where you might ask.


    OWA For SmartPhone
    www.leederbyshire.com


    • Edited by Lee Derbyshire Thursday, October 31, 2013 3:22 PM
    • Marked as answer by Michael ZH Thursday, October 31, 2013 3:28 PM
    Thursday, October 31, 2013 3:22 PM

All replies

  • The username isn't recorded in the IIS log if the login fails. A dash - is recorded instead of the username. You may have configured your other server to log the POSTed data (where you might see the username), but I'm not sure that's even possible, since POSTed data can be rather large.

    Also, 401 wouldn't appear in the same log entry line as the POST, since a 401 response would mean that the server denied the POST in the first place.

    Do you have some of the log entries from your E2010 OWA, so that we can compare?


    OWA For SmartPhone
    www.leederbyshire.com

    Wednesday, October 16, 2013 12:14 PM
  • Hi,

    Here is the failed login log on the E2010 OWA:

    2013-10-17 07:56:21 <ip> POST /owa/auth.owa - 443 <user> <ip> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+.NET4.0C;+.NET4.0E;+.NET+CLR+2.0.50727) OutlookSession=ac17f74bfbe5445db7fbe9a0ec383dec;+PBack=0 https://server/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fserver%2fowa%2f 401 1 1326 359

    We can see the cs-method is 'POST', cs-username is not null but 'qmsmix3710\winntestlog1', and the sc-status is '401'. I can't find this kind log for E2013 OWA, and there is no other similar log too. After I made a failed login, the IIS log file generated nothing more than two '302' logs.

    Could you please confirm it for me, what is the form of log for failed login of the E2013 OWA? Is there any setting will block the log generating? 


    Msts.cn@Outlook.com


    • Edited by Michael ZH Tuesday, October 29, 2013 4:59 AM
    Thursday, October 17, 2013 8:12 AM
  • Okay, thanks. That does look very strange. The fact that the username is logged means that the server already knows (and has authenticated the user) before the POST was attempted. The 401.1 response might mean that the user is denied the POST operation, although it might also mean that something is broke. Since it already knows the user before the POST is performed, I'd guess that the permissions in IIS are wrong (for example Integrated Authentication enabled on the auth folder, which should have Anonymous Access). The quickest way that I can think of to reset the permissions would just be to remove and recreate the OWA virtual directory with this:

    http://technet.microsoft.com/en-us/library/ff629372(v=exchg.141).aspx


    OWA For SmartPhone
    www.leederbyshire.com

    Thursday, October 17, 2013 10:32 AM
  • Hi,
    I did another test on the E2010, I used a non-existent user to make a failed login, and the log was as below:

    2013-10-21 02:56:36 <ip> POST /owa/auth.owa - 443 <user> <ip> Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+Trident/4.0;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+.NET4.0C;+.NET4.0E;+.NET+CLR+2.0.50727) OutlookSession=3b1f526408cb496e8d50565ab5cc0fe3;+PBack=0 https://server/owa/auth/logon.aspx?replaceCurrent=1&reason=2&url=https%3a%2f%2fserver%2fowa%2f 401 1 1326 20281

    I think when the user is failed login, the IIS log will record the username no matter the user is existent or not, and no matter it was authenticated or not! So I think it is no matter with the permissions of E2010.
    And I can confirm this in E2007 too!
    What do you think?

    What my issue is how to get the user's failed login from the IIS log records on the E2013. If the username is not recorded in the log, I don't know the 401 log is recorded by which user.Is here any official information for it?

    Thanks!


    Msts.cn@Outlook.com


    • Edited by Michael ZH Tuesday, October 29, 2013 5:00 AM
    Monday, October 21, 2013 3:40 AM
  • Hi,

    I just want to know are there any helpful for me now?

    This blocks me now, please help.

    Thanks.


    Msts.cn@Outlook.com

    Monday, October 28, 2013 7:43 AM
  • Sorry for the delay, I was away on vacation last week.

    Anyway, I just did quick test here. I tried to enter a non-existent username and password into my OWA logon form, and I discovered that in the IIS log file, it did record the non-existent username. Which I have to say I would not have expected. It must be a feature of the authentication method, since I am pretty sure that 'normal' authentication methods would not have recorded anything.

    I can't imagine that any of your users would be entering non-existent usernames, though. I think you can assume that any usernames you see where there is a 401 are caused by incorrect passwords.


    OWA For SmartPhone
    www.leederbyshire.com

    Monday, October 28, 2013 10:43 AM
  • Thanks for your reply.

    What's the version of your IIS? I am using IIS 8. I have tried many times that there would not be any 401 log entries for /owa. I am going to setup a exchange 2013 CAS with IIS 7 to see whether it makes difference. I will update here then.

    Thanks again for your time. 

    M.


    Msts.cn@Outlook.com

    Wednesday, October 30, 2013 3:24 AM
  • I am using IIS 7.5, so I don't think you'll notice any difference. I did notice one small difference in my IIS logs. For a non-existent username, the last three numbers of the lines are

    401 1 1332

    For an existing user supplying an incorrect password, I see

    401 1 1326

    The last number is called sc-win32-status . Maybe this is something you can use?


    OWA For SmartPhone
    www.leederbyshire.com

    Wednesday, October 30, 2013 10:16 AM
  • That's interesting. What's your exchange version? Mine is exchange 2013 CU2.

    Are you checking the IIS logs of the Default site or the Exchange Back End site? I think we should check the default site, correct?

    Thanks,

    M


    Msts.cn@Outlook.com

    Wednesday, October 30, 2013 10:28 AM
  • Well, I am trying this on E2010. I have an E2013 development server, but I'm not near it today.

    Since you access OWA on the default site, I'd assume you check the logs on the default site.


    OWA For SmartPhone
    www.leederbyshire.com

    Wednesday, October 30, 2013 10:41 AM
  • Oh, no. Have you ever tested on exchange 2013?

    Thanks,

    M.


    Msts.cn@Outlook.com

    Wednesday, October 30, 2013 11:13 AM
  • No, but since they are similar in most other respects, I wouldn't expect it to be any different in E2013 from E2010. I'll check it tomorrow, if I get a chance, and see if it's any different.

    OWA For SmartPhone
    www.leederbyshire.com

    Wednesday, October 30, 2013 11:29 AM
  • I bet it will surprise you when you check the IIS log in exchange 2013. It is really different! Totally no 401 for /OWA. That's why I posted here for help.

    Thanks,

    M.


    Msts.cn@Outlook.com


    • Edited by Michael ZH Thursday, October 31, 2013 2:33 AM
    • Marked as answer by Michael ZH Thursday, October 31, 2013 2:49 AM
    • Unmarked as answer by Michael ZH Thursday, October 31, 2013 2:49 AM
    Wednesday, October 30, 2013 2:32 PM
  • Oh, right. Can you post for me the first line of the log file (i.e. the enabled field names), and a typical log file line from E2013.

    OWA For SmartPhone
    www.leederbyshire.com

    Wednesday, October 30, 2013 2:55 PM
  • Hi,

    I got a new test environment ready and did a test too, using IIS7.5 and exchange2013, and could not get the logs what I want.
    I think, you have to do some tests about this.

    Thanks.

    The logs I got as below:

    date,time,s-ip,cs-method,cs-uri-stem,cs-uri-query,s-port,cs-username,c-ip,cs(User-Agent),cs(Cookie),cs(Referer),sc-status,sc-substatus,sc-win32-status,time-taken
    2013-10-31,06:16:31,ip,POST,/owa/auth.owa,&cafeReqId=aa1574e4-52df-4b70-8961-066462123066;,443,TestDomain\testlog1,ip,Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729),PrivateComputer=true;+PBack=0,https://wm-e13-mc/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fTestDomain%2fowa,302,0,64,62
    2013-10-31,06:16:31,ip,POST,/owa/auth.owa,&cafeReqId=0c994ba0-85c8-487f-a599-6bdf86770ace;,443,TestDomain\testlog1,ip,Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.2;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729),PrivateComputer=true;+PBack=0,https://wm-e13-mc/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fTestDomain%2fowa,302,0,0,78


    Msts.cn@Outlook.com


    • Edited by Michael ZH Thursday, October 31, 2013 2:04 PM
    Thursday, October 31, 2013 8:08 AM
  • Okay, thanks for posting the log entries. It looks like they changed the 401 to a 302, which is a redirect instruction, probably straight back to the logon page.

    OWA For SmartPhone
    www.leederbyshire.com

    Thursday, October 31, 2013 10:19 AM
  • That makes sense. But it is an assumption that cannot totally convince me or my boss. Do you know how can I get a confirmation from MS?

    Thanks,

    M


    Msts.cn@Outlook.com

    Thursday, October 31, 2013 2:07 PM
  • Well, I just started up my E2013 server, and I see the same thing here. They have changed the 401 to a 302. I actually think that makes more sense, since returning a 401 implies that the not-yet-logged-on user doesn't have permission to post credentials to the authenticating module, which is sort of nonsensical.

    But yes, it does mean that you can't tell the difference between a nonexistent username attempt, and a simple incorrect password. Although it may be possible to get this from the Event Logs. I've no idea how you do that, though, but there is a chance that turning on a high level of security auditing would do it.

    I don't know if you can get a confirmation from MS. Some of the MS Exchange devs post in this forum, so it might be worth asking a very specific question about this apparent change. Some of the devs also have blogs where you might ask.


    OWA For SmartPhone
    www.leederbyshire.com


    • Edited by Lee Derbyshire Thursday, October 31, 2013 3:22 PM
    • Marked as answer by Michael ZH Thursday, October 31, 2013 3:28 PM
    Thursday, October 31, 2013 3:22 PM
  • This thread does not seem to catch the dev's eyes. Anyway, thanks for your time discussing with me. I really appreciate that!

    Thanks,

    M.


    Msts.cn@Outlook.com

    Thursday, October 31, 2013 3:28 PM