Question : Exchange 2007 OWA causes 2 audit failures on failed login attempt

I'm looking at an Exchange 2007 server recently migrated from 2003. Whenever someone fails a logon to OWA the server makes two attempts at login. (two audit failures, event 4625, caused by W3WP.exe are recorded with the same timestamp)
This has the effect of locking out the user after 2 login attempts even though the policy is 3 attempts. Furthermore the DC records 3 Kerberos pre-authentication failed on each logon attempt.

OS on mailservers and dc is windows 2008.

Any ideas?

Answer : Exchange 2007 OWA causes 2 audit failures on failed login attempt

Solved by Microsoft:

Cause: By design

The account lockouts are caused by IIS7. Problem occurs when up to 2 bad password attempts are made. Microsoft recommends configuring the account lockout threshold to 10 when OWA runs into this situation. We have verified the code further and concluded that the issue is by design.
IIS 7 adds more thorough unicode support. First we take the username/password and create a UTF-8 unicode version and pass that to the API. If that fails we take the username/password and create a ANSI unicode version and pass that. If we choose either UTF-8 *or* ANSI then some users would never be able to logon no matter what they did. Without a header coming from the browser that specifies which codepage to use IIS won't know what will work so tries the more common one first (UTF-8) and then ANSI format. This is the best thing IIS can do while supporting a wide variety of end-users and applications.

The Account Lockout Threshold is far too low as Microsoft recommends a minimum of 10 bad attempts.

Random Solutions  
programming4us programming4us