I am writing this document as there is often a lot of confusion about what kind troubleshooting can be performed when using NTLM.

Since the introduction of Secure Netlogon it is no longer possible to troubleshoot authentication issues using Wireshark.


Old Ways

In older versions of the web gateway you could run a tcpdump on port 445 and review a Wireshark to see in clear text the request and response to/from the DC.

This is no longer possible as the request and response will be encrypted.


New Ways

In order to troubleshoot this issue in more recent releases, we have to use the troubleshooting on the web gateway in order to log Authentication events, then from the debug log we can locate the failure reason.

Webgateway Setting

User Interface > Configuration > Expand the proxy the user is using > Troubleshooting:


Once this option is enabled you can ask the client to try again. The result will be written to logs, you should remember to turn this off when not troubleshooting or risk an ever expanding log file.

Example wrong password:

This is clear wrong password all written in clear text:

wrong password

Example Disabled account:

This is not so clear, all we can see it is failed but it does provide a code “0xc0000072”

failed account disabled

You can use the table below to determine the reason (in this case it was account disabled):

Status\Sub-Status Code Description
0XC000005E There are currently no logon servers available to service the logon request.
0xC0000064 User logon with misspelled or bad user account
0xC000006A User logon with misspelled or bad password
0XC000006D The cause is either a bad username or authentication information
0XC000006E Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions).
0xC000006F User logon outside authorized hours
0xC0000070 User logon from unauthorized workstation
0xC0000071 User logon with expired password
0xC0000072 User logon to account disabled by administrator
0XC00000DC Indicates the Sam Server was in the wrong state to perform the desired operation.
0XC0000133 Clocks between DC and other computer too far out of sync
0XC000015B The user has not been granted the requested logon type (also called the logon right) at this machine
0XC000018C The logon request failed because the trust relationship between the primary domain and the trusted domain failed.
0XC0000192 An attempt was made to logon, but the Netlogon service was not started.
0xC0000193 User logon with expired account
0XC0000224 User is required to change password at next logon
0XC0000225 Evidently a bug in Windows and not a risk
0xC0000234 User logon with account locked
0XC00002EE Failure Reason: An Error occurred during Logon
0XC0000413 Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.
0x0 Status OK.

Total 0 Votes:

Tell us how can we improve this post?

+ = Verify Human or Spambot ?

Back To Top