Activeync, iislogs and user-id

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Activeync, iislogs and user-id

L4 Transporter

I have been battling a problem for quite sometime.  I think the end result is I somehow need to dig through the IISLogs for activesync information and pass it to the PA via their API.  Unfortunately I have no clue how to get started on this.

Story is as follows:

Typical AD environment.  Ipads and other non domain devices are coming inside our network.  Since the PA can monitor the internal exchange server logs and determine User-IDs, I figured this was the perfect solution to be able to use the PA rules by User-ID, regardless of the device.  If all else fails it falls back to the captive portal.

It ends up that the only time the authentication of an "activesync" client is logged to the windows event logs is during the setup process....why, I am not sure.  But I can see the activesync activity in the IIS logs but NOT in the windows event logs.

End result is the Ipad IP-user mapping expires and falls back to the captive portal.  While the captive portal does work, the timeout for the user is limited to 1440 minutes and is not terribly convenient for my many types of users (young students to teachers and everything between), especially since they are already authenticating for email!

Anyway, any thoughts would be appreciated,



L2 Linker

Hi Bob,

I just posted a doc that uses this specific Active Sync event as an example. Would you take a look at it and let me know if it addresses your situation?

Using Windows Events as sources for the User-ID XML-API


Thank you for your help.  However, I am not seeing any events on my DCs, or exchange server, that contain an the IP address of one of the ipads.

Please note that I am currently on Exchange 2007, not sure if that matters.



Hi Bob,

Can you check to see if you are getting event 4624 on your Exchange server?


I am not seeing any events 4624 on Exchange.  I have enabled auditing via GPO for a number of items on the server and still nothing.  I am seeing some 4624s on the DCs, but no reference to the Ipad IP addresses.



Hi Bob,

I can see these messages on my Exchange 2007 server in my lab. Do you have all the exchange roles installed on the same server or did you separate out the CAS role? If we need to dig into the log files it becomes more complex....


All are on a single Exchange server.  I did inherit this server and it is a sketchy build (at best).  I will look for some more places that the previous admin may have disabled some logging.  I do know they did all kinds of strange things on this network.

Thanks again and any further suggestions would be appreciated.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!