topic Re: Activeync, iislogs and user-id in Automation/API Discussions

Activeync, iislogs and user-id

BobW — Sun, 30 Dec 2012 22:06:40 GMT

I have been battling a problem for quite sometime. I think the end result is I somehow need to dig through the IISLogs for activesync information and pass it to the PA via their API. Unfortunately I have no clue how to get started on this.

Story is as follows:

Typical AD environment. Ipads and other non domain devices are coming inside our network. Since the PA can monitor the internal exchange server logs and determine User-IDs, I figured this was the perfect solution to be able to use the PA rules by User-ID, regardless of the device. If all else fails it falls back to the captive portal.

It ends up that the only time the authentication of an "activesync" client is logged to the windows event logs is during the setup process....why, I am not sure. But I can see the activesync activity in the IIS logs but NOT in the windows event logs.

End result is the Ipad IP-user mapping expires and falls back to the captive portal. While the captive portal does work, the timeout for the user is limited to 1440 minutes and is not terribly convenient for my many types of users (young students to teachers and everything between), especially since they are already authenticating for email!

Anyway, any thoughts would be appreciated,

Bob

Re: Activeync, iislogs and user-id

npiagentini — Tue, 15 Jan 2013 19:42:15 GMT

Hi Bob,

I just posted a doc that uses this specific Active Sync event as an example. Would you take a look at it and let me know if it addresses your situation?

Using Windows Events as sources for the User-ID XML-API

Nick

Re: Activeync, iislogs and user-id

BobW — Tue, 15 Jan 2013 22:15:41 GMT

Thank you for your help. However, I am not seeing any events on my DCs, or exchange server, that contain an the IP address of one of the ipads.

Please note that I am currently on Exchange 2007, not sure if that matters.

Thanks,

Bob

Re: Activeync, iislogs and user-id

npiagentini — Tue, 15 Jan 2013 22:29:58 GMT

Hi Bob,

Can you check to see if you are getting event 4624 on your Exchange server?

Nick

Re: Activeync, iislogs and user-id

BobW — Tue, 15 Jan 2013 22:45:49 GMT

I am not seeing any events 4624 on Exchange. I have enabled auditing via GPO for a number of items on the server and still nothing. I am seeing some 4624s on the DCs, but no reference to the Ipad IP addresses.

Thanks

bob

Re: Activeync, iislogs and user-id

npiagentini — Tue, 15 Jan 2013 22:55:46 GMT

Hi Bob,

I can see these messages on my Exchange 2007 server in my lab. Do you have all the exchange roles installed on the same server or did you separate out the CAS role? If we need to dig into the log files it becomes more complex....

Nick

Re: Activeync, iislogs and user-id

BobW — Tue, 15 Jan 2013 23:24:56 GMT

All are on a single Exchange server. I did inherit this server and it is a sketchy build (at best). I will look for some more places that the previous admin may have disabled some logging. I do know they did all kinds of strange things on this network.

Thanks again and any further suggestions would be appreciated.

Bob