Excessive admin log message: NTLM; AuthenticateMessage; User not found [WindowsUsername@Hostname]

Hi all,

Please review the following and share your comment or suggestion. It would be nice to give your votes if it makes sense.

I am admin for about 1500 MAPI users. In admin log, I found the following types of log messages bombarded:

[2022.03.16] 01:24:22.119 [1.1.1.1] MAPIEWS NTLM; AuthenticateMessage; User not found [WindowsUsername@Hostname] [TlRMTVNTUAADAAAAGAAYAHwAAABCAUIBlAAAAAQABABYAAAADAAMAFwAAAAUABQAaAAAAAAAAADWAQAAFYKIIgoAYUoAAAAPA/ukausA+CggklDg+j6dmFMAVABrAEsAZQByAHMAdABTAFUAUAAtAEMATABJAEUATgBUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADU2l/Y+taeBbqKXmaejy2oBAQAABBBCCCDDDAAK+uzyCJONgBRqzd4CUVQ6sAAAAAAgAWAFMATQBBAFIAVABFAFIATQBBAEkATAABAAoASwBNAEEASQBMAAQAFgBzAG0AYQByAHQAZQByAG0AYQBpAGwAAwAiAEsATQBBAGkATAAuAHMAbQBhAHIAdABlAHIAbQBhAGkAbAAFABYAcwBtAGEAcgB0AGUAcgBtAGEAaQBsAAcACACvrs8giTjYAQYABAACAAAACAAwADAAAAAAAAAAAQAAAAAgAADSJ6vb47lXD9O+7Luhkcu7pdilYfJajvULp/6urgWwBQoAEAAsS38KrQ0vGIfyi1+pVVuGCQAsAEgAVABUAFAALwBrAG0AYQBpAGwALgBrAGkAcwB3AGkAcgBlAC4AYwBvAG0AAAAAAAAAAAA=]

[2022.03.16] 01:24:22.119 [1.1.1.1] Autodiscover NTLM; AuthenticateMessage; User not found [WindowsUsername@Hostname]

[TlRMTVNTUAADAAAAGAAYAHwAAABCAUIBlAAAAAQABABYAAAADAAMAFwAAAAUABQAaAAAAAAAAADWAQAAFYKIIgoAYUoAAAAPA/ukausA+CggklDg+j6dmFMAVABrAEsAZQByAHMAdABTAFUAUAAtAEMATABJAEUATgBUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADU2l/Y+taeBbqKXmaejy2oBAQAABBBCCCDDDAAK+uzyCJONgBRqzd4CUVQ6sAAAAAAgAWAFMATQBBAFIAVABFAFIATQBBAEkATAABAAoASwBNAEEASQBMAAQAFgBzAG0AYQByAHQAZQByAG0AYQBpAGwAAwAiAEsATQBBAGkATAAuAHMAbQBhAHIAdABlAHIAbQBhAGkAbAAFABYAcwBtAGEAcgB0AGUAcgBtAGEAaQBsAAcACACvrs8giTjYAQYABAACAAAACAAwADAAAAAAAAAAAQAAAAAgAADSJ6vb47lXD9O+7Luhkcu7pdilYfJajvULp/6urgWwBQoAEAAsS38KrQ0vGIfyi1+pVVuGCQAsAEgAVABUAFAALwBrAG0AYQBpAGwALgBrAGkAcwB3AGkAcgBlAC4AYwBvAG0AAAAAAAAAAAA=]

These logs are generated when MAPI Outlook started and it would leave 2~10 lines. In January, it was 7k lines but now it's 16k lines, 12MB. According to Kyle, this log is expected and benign. It is a part of how Outlook attempts to authenticate with Exchange based hosts. After attempting the local domain authentication via NTLM it will eventually fall back to SRV and DNS records to complete the logon process. It's possibly able to get disabled via GPO policy changes.

Changing log level of admin to Exception only didn't mask these logs. Kyle submitted a feature request to lower the level of log message down to Detailed.

Your vote or comment would help to bring more attentions. Thank you.

Reply to Thread

Related Knowledge Base Articles

Reply to Thread

Tags

Related Knowledge Base Articles