• Creator
  • #2213509

    Failure Audit 680


    by matthew moss ·

    I was going through our security logs on the exchange machine, and I noticed an insane amount of failure audit 680 events. I’m fairly new to the field, so after a few days of troubleshooting, I figured I’d reach out and see if anyone had suggestions.

    The error code we’re getting is 0xc0000064 – which according to Microsoft documentation means the user account doesn’t exist. But the logon accounts that are failing are all actual users we have.

    So far, I’ve tried changing the IIS metabase NtAuthenticationProviders from “NTLM”, to “Negotiate, NTLM”.

    Then, I changed the security settings on a user’s outlook to just NTLM authentication.

    I also changed the email server settings to “trusted for delegation” on the domain controllers active directory user and computer properties.

    No luck. The one thing i may try is applying this hotfix:

    But I wanted to see if anyone else had any other ideas before I moved forward.

    Thanks in advance!


All Answers

  • Author
    • #3027734


      by matthew moss ·

      In reply to Failure Audit 680


    • #3027683

      It this is only in the logs

      by seanferd ·

      In reply to Failure Audit 680

      and not affecting actual logins, I’d suggest either patching or ignoring it. Affecting logging into accounts or taking up way too much log space? Patch it.

      As MS says, it is an incorrect return. Unless the connection attempt are timing out due to actual server load or connectivity problems, it sounds like a good fix.

      In the past, I’ve installed the UPHClean service for a slightly similar problem which occurs when user accounts aren’t unloaded correctly at logoff or shutdown.

      • #3027430


        by matthew moss ·

        In reply to It this is only in the logs

        Thanks Sean for the reply. based on your feedback, i’ll probably just leave it alone. If it’s not broke, don’t fix it, i guess. and it’s not actually causing any login errors…


        • #3025613

          I hear that.

          by seanferd ·

          In reply to Thanks!

          Because you can’t be sure what else the patch might do, you may as well leave it alone. 😉

Viewing 1 reply thread