Microsoft Forefront Unified Access Gateway 2010 logs Event 14 (User Login Failed) to the Web Monitor log file when a user enters an incorrect user name or password or when the Unified Access Gateway account lockout threshold is reached. In either case, the event text does not contain the source IP address of the client and is missing the user name for the account lockout threshold event. This can make it difficult to locate the user or device that is causing the failed log on.
The event text that is logged in the Web Monitor log file resembles one of the following:
Event text 1
Event text 2
The Source IP address is missing if Basic authentication is used to authenticate the client to Unified Access Gateway. This typically occurs only for ActiveSync clients, although Outlook can be configured to use Basic authentication also. The user name is missing regardless of which authentication scheme is used.
The event text that is logged in the Web Monitor log file resembles one of the following:
Event text 1
Event text 2
The Source IP address is missing if Basic authentication is used to authenticate the client to Unified Access Gateway. This typically occurs only for ActiveSync clients, although Outlook can be configured to use Basic authentication also. The user name is missing regardless of which authentication scheme is used.