Check the Enterprise Vault event log for "Authentication request failed" (Event ID 4224) entries. These events indicate the authentication failures that caused the AuthServer process to enter the mode of operation in which it delays all authentication requests. The number and text of these event log entries may help to confirm that an attempt is being made to gain access to Enterprise Vault archived data. If an attempt is being made, consider stopping Enterprise Vault services until the source of the attack can be identified and resolved. If the assumed attack is proven to be false then restarting the Enterprise Vault Admin Service will reset the AuthServer delay mode.