FIX: Source IP and user name missing from Event ID 14 in the Web Monitor log file

Applies to: Forefront Unified Access Gateway 2010


Microsoft Forefront Unified Access Gateway 2010 logs Event 14 (User Login Failed) to the Web Monitor log file when a user enters an incorrect user name or password or when the Unified Access Gateway account lockout threshold is reached. In either case, the event text does not contain the source IP address of the client and is missing the user name for the account lockout threshold event. This can make it difficult to locate the user or device that is causing the failed log on.

The event text that is logged in the Web Monitor log file resembles one of the following:

Event text 1

Event text 2

The Source IP address is missing if Basic authentication is used to authenticate the client to Unified Access Gateway. This typically occurs only for ActiveSync clients, although Outlook can be configured to use Basic authentication also. The user name is missing regardless of which authentication scheme is used.


This problem occurs if Unified Access Gateway cannot pass the appropriate values into the structures that are used to generate these events.


This problem is fixed in Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 4.


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.


Learn about the terminology that Microsoft uses to describe software updates.