Introduction
I am writing this document as there is often a lot of confusion about what kind troubleshooting can be performed when using NTLM.
Since the introduction of Secure Netlogon it is no longer possible to troubleshoot authentication issues using Wireshark.
Old Ways
In older versions of the web gateway you could run a tcpdump on port 445 and review a Wireshark to see in clear text the request and response to/from the DC.
This is no longer possible as the request and response will be encrypted.
New Ways
In order to troubleshoot this issue in more recent releases, we have to use the troubleshooting on the web gateway in order to log Authentication events, then from the debug log we can locate the failure reason.
Webgateway Setting
User Interface > Configuration > Expand the proxy the user is using > Troubleshooting:
Once this option is enabled you can ask the client to try again. The result will be written to logs, you should remember to turn this off when not troubleshooting or risk an ever expanding log file.
Example wrong password:
This is clear wrong password all written in clear text:
Example Disabled account:
This is not so clear, all we can see it is failed but it does provide a code “0xc0000072”
You can use the table below to determine the reason (in this case it was account disabled):
| Status\Sub-Status Code | Description |
|---|---|
| 0XC000005E | There are currently no logon servers available to service the logon request. |
| 0xC0000064 | User logon with misspelled or bad user account |
| 0xC000006A | User logon with misspelled or bad password |
| 0XC000006D | The cause is either a bad username or authentication information |
| 0XC000006E | Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions). |
| 0xC000006F | User logon outside authorized hours |
| 0xC0000070 | User logon from unauthorized workstation |
| 0xC0000071 | User logon with expired password |
| 0xC0000072 | User logon to account disabled by administrator |
| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
| 0XC0000133 | Clocks between DC and other computer too far out of sync |
| 0XC000015B | The user has not been granted the requested logon type (also called the logon right) at this machine |
| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
| 0XC0000192 | An attempt was made to logon, but the Netlogon service was not started. |
| 0xC0000193 | User logon with expired account |
| 0XC0000224 | User is required to change password at next logon |
| 0XC0000225 | Evidently a bug in Windows and not a risk |
| 0xC0000234 | User logon with account locked |
| 0XC00002EE | Failure Reason: An Error occurred during Logon |
| 0XC0000413 | Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
| 0x0 | Status OK. |