{"id":1348,"date":"2024-07-18T12:37:02","date_gmt":"2024-07-18T10:37:02","guid":{"rendered":"https:\/\/itblog.wildi.dk\/?p=1348"},"modified":"2024-07-18T12:37:02","modified_gmt":"2024-07-18T10:37:02","slug":"exchange-hybrid-agent-invalid-username-or-password","status":"publish","type":"post","link":"https:\/\/itblog.wildi.dk\/?p=1348","title":{"rendered":"Exchange Hybrid Agent «Invalid Username or Password»"},"content":{"rendered":"\n

Unser internes Netzwerk ist auf einem hohen Level bez\u00fcglich Sicherheit. Netzwerk-segmente, Policies, etc. sind sehr stark eingeschr\u00e4nkt.<\/p>\n\n\n\n

Bei der Installation des Exchange Hybrid Agents<\/a> stoss ich auf folgenden Fehler:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Die Fehlersuche startet ich im lokalen Eventlog, und wurde f\u00fcndig:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
An account failed to log on.\n\nSubject:\n\tSecurity ID:\t\tDOMAIN\\adminuser\n\tAccount Name:\t\tadminuser\n\tAccount Domain:\t\tDOMAIN\n\tLogon ID:\t\t0x4FEC3\n\nLogon Type:\t\t\t2\n\nAccount For Which Logon Failed:\n\tSecurity ID:\t\tNULL SID\n\tAccount Name:\t\tsvc_ServiceAccount\n\tAccount Domain:\t\tDOMAIN\n\nFailure Information:\n\tFailure Reason:\t\tThe user has not been granted the requested logon type at this machine.\n\tStatus:\t\t\t0xC000015B\n\tSub Status:\t\t0x0\n\nProcess Information:\n\tCaller Process ID:\t0x2ef8\n\tCaller Process Name:\tC:\\Users\\adminuser\\AppData\\Local\\Apps\\2.0\\94JYCV39.N4Q\\0EWQ5O80.Q5K\\micr..tion_5661bd3e342e4e9f_0011.0001_9a1ee13031f92f9c\\Microsoft.Online.CSE.Hybrid.App.exe\n\nNetwork Information:\n\tWorkstation Name:\tSERVERNAME\n\tSource Network Address:\t-\n\tSource Port:\t\t-\n\nDetailed Authentication Information:\n\tLogon Process:\t\tAdvapi  \n\tAuthentication Package:\tNegotiate\n\tTransited Services:\t-\n\tPackage Name (NTLM only):\t-\n\tKey Length:\t\t0\n\nThis event is generated when a logon request fails. It is generated on the computer where access was attempted.\n\nThe Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.\n\nThe Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).\n\nThe Process Information fields indicate which account and process on the system requested the logon.\n\nThe Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.\n\nThe authentication information fields provide detailed information about this specific logon request.\n\t- Transited services indicate which intermediate services have participated in this logon request.\n\t- Package name indicates which sub-protocol was used among the NTLM protocols.\n\t- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.<\/code><\/pre>\n\n\n\n
«Logon Type 2» bedeutet gem\u00e4ss Microsoft<\/a> «Interactive (also known as, Logon locally)». Schnell hatte ich den Verdacht, dass die GPO’s der Microsoft Security Baselines<\/a> dies verhindern. Und so war es auch:<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\n
«Lokal anmelden zulassen» ist nur f\u00fcr «VORDEFINIERT\\Administratoren» zugelassen<\/p>\n<\/blockquote>\n\n\n\n
Wir haben den Service-Account f\u00fcr die Einrichtung durch den Hybrid-Wizard tempor\u00e4r zu den lokalen Administratoren hinzugef\u00fcgt. So m\u00fcssen wir die MSFT-GPO’s nicht anpassen, und die Security ist weiterhin gew\u00e4hrleistet, ohne zus\u00e4tzliche Rechte.<\/p>\n","protected":false},"excerpt":{"rendered":"
Unser internes Netzwerk ist auf einem hohen Level bez\u00fcglich Sicherheit. Netzwerk-segmente, Policies, etc. sind sehr stark eingeschr\u00e4nkt. Bei der Installation… Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"[]"},"categories":[13,105,14],"tags":[],"class_list":["post-1348","post","type-post","status-publish","format-standard","hentry","category-exchange","category-exchange-hybrid","category-exchange-online"],"_links":{"self":[{"href":"https:\/\/itblog.wildi.dk\/index.php?rest_route=\/wp\/v2\/posts\/1348","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itblog.wildi.dk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itblog.wildi.dk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itblog.wildi.dk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/itblog.wildi.dk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1348"}],"version-history":[{"count":1,"href":"https:\/\/itblog.wildi.dk\/index.php?rest_route=\/wp\/v2\/posts\/1348\/revisions"}],"predecessor-version":[{"id":1353,"href":"https:\/\/itblog.wildi.dk\/index.php?rest_route=\/wp\/v2\/posts\/1348\/revisions\/1353"}],"wp:attachment":[{"href":"https:\/\/itblog.wildi.dk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1348"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itblog.wildi.dk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1348"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itblog.wildi.dk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1348"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}