Recently we got an interesting case: Customer’s domain account would be locked out every one hour. Further more, based on security event log, the related process is Inetinfo.exe:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
User: NT AUTHORITY\SYSTEM
Reason: Unknown user name or bad password
User Name: AccountName
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Caller Process ID: 1456
(Here 1456 is the Process ID of inetinfo.exe)
What to Check?
At first, we thought it is due to customer’s user account was configured somewhere in IIS and the password was not refreshed. For example:
a) Being configured as anonymous account
b) Being configured as certain Application Pool’s identity
c) Being configured as certain COM+ component’s identity…
However, nothing valuable was found in metabase.xml and COM+ manager.
So we decide to set break points on the following functions in the inetinfo.exe process:
Then whenever the problematic user account is used by inetinfo.exe, we can check the call stack/dump file to clarify the scenario. Fortunately, this time we got just what we want.
We got the following dump files every one hour when the account gets locked:
The call stacks are exactly the same:
Based on above information, we can see a SMTP client is trying to connect the IIS server with the problematic username and bad password and caused the account being lockout unexpectedly.
Since we already know the culprit is SMTP client, customer checked the SMTP log when the problem occurred to find out which SMTP client used the obsolete password.
Yong Kang Chen