With the advent of Mac OS X 10.6 aka Snow Leopard, the capability is present in Mail.app (aka Apple Mail), iCal and Address Book to support Microsoft Exchange accounts (for setup using Entourage, look here).  Software doesn’t always behave the way you would think it should, and in this case, an unusual side effect seems to have “come along for the ride.”

Recently I noticed a strange “signature” in the audit logs of our Exchange client access server.  Within one second, I would see an entry like this:

Event Type:    Failure Audit
Event Source:    Security
Event Category:    Account Logon
Event ID:    680
Date:        2/5/2010
Time:        9:53:51 AM
Computer:    EXAMPLE-CAS
Logon account:   <username>
Source Workstation:   <remote-Workstation>
Error Code:    0xC0000064

Immediately followed by…

Event Type:    Success Audit
Event Source:    Security
Event Category:    Logon/Logoff
Event ID:    540
Date:        2/5/2010
Time:        9:53:51 AM
User:        EXAMPLE\<username>
Computer:    EXAMPLE-CAS
Successful Network Logon:
User Name:    <username>
Domain:        EXAMPLE
Logon ID:        (0x0,0x51023AE)
Logon Type:    3
Logon Process:    NtLmSsp
Authentication Package:    NTLM
Workstation Name:   remoteWorkstation
Logon GUID:    –
Caller User Name:    –
Caller Domain:    –
Caller Logon ID:    –
Caller Process ID: –
Transited Services: –
Source Network Address:    a.b.c.d
Source Port:    <ephemeral port>

These entries occurred in pairs within about one second and seemed to recur about every 60 seconds.  In some cases there was more than one such pair, but  each pair seemed to recur at the same regular interval.  It seemed to only happen with users that I knew were using Macintosh computers.  The error code (0xC0000064) indicates an unknown user or bad password.  The users exist within the Active Directory domain of course; it is clear that the authentication attempt is against the “local” server, not the domain, and none of these users have local accounts on the Exchange client access server.

The configuration for Mail.app is completed auto-magically from a wizard that attempts to get the right information, and indeed it is successful, or so it seems.  After some experimentation, it turns out that the pairs of event log entries were for each of the members of this triumvirate (Mail.app, iCal, and Address Book) that the user had open.  If only Mail.app, then a single pair of entries appears every 60 seconds, but if Mail.app and iCal, then there would be two pairs, each one in a 60 second interval, etc.  Perhaps there is some use case for this behavior, but it seems downright silly to me — it tries one, fails, and then tries and succeeds with the other authentication mechanism.

Is there a fix, I wondered?  It turns out that if you modify the configuration settings for each application to include the domain along with the username, the failed log entries vanish!

This was all tested and confirmed with Mail.app 4.2 (1077).  Perhaps Apple will fix this silliness if they ever learn about it, but if you don’t like your Exchange CAS being peppered with authentication failures, then have your users adjust their configurations of each application!