you can try to log the property "Authentication.FailureReason" to see why authentication failed. This will show if for example an account was locked. If is only happens from time to time and the user account is OK you can enable debug logging on Configration -> Troubleshooting -> Authentiaction Troubleshooting. Here you can write all authentication events for a specific client IP.
Please note that this is a DEBUG log, therefore it writes a lot of data and should not be left enabled for a long time!
If those details do not contain something useful for you file an SR with support.
Thank you Andre, this is exactly what I need to see. but Andre I have not found any document or article including how to use the mentioned property!!
could you please help me how to use it and where I would find the desired log files ?
Thanks in advance
you need to create an additional log file. Take a look at how the "access_denied" log is written in MWG. You will find it in Policy -> Log Handlers. Similar to the policy the log files are written by rules and the values written are just a bunch of properties whose content gets printed to the log.
The access denied log is written when the status code is 403 to make sure we only write a log line when an error occurs. We want to do a similar thing, but we want to write a log line if Authentication.FailureReasonID is not 0 (0 = All fine).
So you could create a new rule set "Authentication Log". You add a rule with a criteria like "Authentication.FailureReasonID greater than 0" and add some Events to write a log file. You should be able to get the idea how to write the log from the access_denied.log for example. You want to log the Time/Date, client IP address and the "Authentication:FailureReason" properties.
Then MWG will write a log line to the new log whenever authentication failed for whatever reason. It hopefully helps to define the next steps.