Article ID: 2592929 - View products that this article applies to.
When a Microsoft Forefront Threat Management Gateway (TMG) 2010 web proxy or web publishing client tries to authenticate to TMG but provides incorrect credentials, the TMG logs cannot be used to identify the source of the request.
This issue occurs when an authentication attempt that is made to TMG fails. When this occurs, the request is handled as an anonymous request and will appear in the web proxy logs with the username logged as Anonymous.
The Security event logs on the TMG server will log an "Event ID 4265 Failed Logon attempt," include the domain and username, and state that the authentication attempt originated from the Firewall Service (wspsrv.exe). Because the originating request is logged in the web proxy logs as Anonymous, the TMG logs cannot be used to identify the request that caused the failed authentication attempt.
Where an account lockout occurs after several failed authentication attempts that are made by incoming web proxy or web publishing requests (for example, an ActiveSync device that has a user's old password saved), you cannot identify the source of that request from the TMG logs.
To resolve this problem, install the service pack that is described in the following Microsoft Knowledge Base article:
2555840By default, the change in behavior is not enabled, and the following script should be run to enable the new behavior. After you enable the new behavior, TMG will log the username that is associated with a failed logon attempt in the Username field as follows, instead of being logged as Anonymous:
(http://support.microsoft.com/kb/2555840/ )Description of Service Pack 2 for Microsoft Forefront Threat Management Gateway 2010
domain\username (!)The "(!)" that is appended to the username indicates that authentication was tried for this user for this request but that the authentication failed. The request will still be treated as Anonymous by TMG in all other aspects, such as rule processing.
To enable this functionality, follow these steps:
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
This new functionality is intended to support the identification of failed authentication attempts that are validated against Active Directory. The new functionality specifically supports the following authentication options:
For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/824684/ )Description of the standard terminology that is used to describe Microsoft software updates
Article ID: 2592929 - Last Review: October 31, 2011 - Revision: 2.0