Update: Since posting, I am able to perform an nDepth search to find failed authentication requests to OWA.
Refine the query with the following conditions:
WebTrafficAudit.AlertActivityType=HTTP-401 AND WebTrafficAudit.URL=<URL> (e.g. 192.168.0.1/owa/auth.owa)
Specify a time period and run the search.
I am yet to distinguish auth success events generated by users logging into OWA and not general navigation through OWA. Any help on refining my results to show only these events would be highly appreciated.
1 of 1 people found this helpful
It's been a while since I had to manage OWA so I'm pulling from a part of my memory that might be hazy, so here's the other way I'd approach it.
There should be actual UserLogon/UserLogoff/UserLogonFailure events generated from authentication to Exchange. Now, there's a possibility that this stuff is hidden in the Exchange audit logs, which are buried in the Exchange database and not the Event Logs, but since we're talking domain credentials I think there might be a couple of other directions to dig in.
First, look at the UserLogon, UserLogonFailure, and UserLogoff events that are generated ON the Exchange server. Look at the "LogonType" and see if you can tell OWA logins apart from other logins. I want to say there's a handoff between IIS and Exchange that makes them look like IIS logons by that user, but I can't quite remember what it looks like. You'll need to be auditing account logon (and possibly logon) success/failure on the Exchange server to see this.
UserLogon.InsertionIP = <exchange/OWA server>
(refine from there - UserLogon.LogonType, etc)
Next, there should be a UserAuthTicket/AuthTicketFailure at the least that happens on the DC as the Exchange/OWA server pings the DC to check the kerberos auth ticket. There's a small possibility that it'll be an actual logon, but I think an AuthTicket/Failure are more likely. You'll have to be auditing the ticket requests/failures on the DC (which tend to be redundant to actual logons) to see this. It's likely that it'll have a SourceMachine of your Exchange/OWA servers.
UserAuthTicket.SourceMachine = <exchange/OWA server, possibly by IP>
With the IIS data for successes you might look for the first hit to an actual URL that's not the /auth.owa URL - maybe a URL with an actual value attached? Or a URL that's not / or /auth.owa? I can't quite remember the flow of the URLs (and I know they changed what gets logged after 2003 where you could see subjects of emails in bare URLs).
I might have some old OWA data I can dig in to help take a look - some things don't change.