Troubleshooting SMB Authentication

Purpose

This article provides solutions to known issues with SMB Authentication.

Known SMB Authentication Issues

When performing authenticated scanning against Windows systems, the scanner uses Windows PowerShell on the target to create, install and run a service called O24Auth. This service is used to execute commands on the target and send the results back to the scanner. Optionally the Registry may be scanned for additional findings.

O24Auth is a short-lived service initiated by the scanner on the target machine while performing an authenticated SMB scan against a windows host. It is created via the Service Manager on the svcctl named pipe. After scanning of the target system is completed, the O24Auth service is removed automatically.

Prerequisites

Important
If an endpoint security solution is installed and in use on the target system, it may be necessary to configure it to allow (exclude) the O24Auth service. Else the solution in use may block or prevent the O24Auth service from being installed and/or running.

To be successful using Windows SMB authentication, the following requirements must be met:

• The target system must be running Windows version 6.1 or later, i.e. Windows 7 (SP1), Windows 8.1, Windows 10, Windows 2008 R2 Server, Windows 2012 R2 Server, Windows 2016 Server, Windows 2019 Server, or Server Core Installation.

Note
Windows version 6.0 or less, i.e. Windows 2008, Windows Vista, Windows 2003 R2, Windows 2003, Windows XP, etc. is unsupported.

• The user account specified to login to the target system may be either a domain user account or a local user account.
  
  If using a domain user account, the account needs to be a member of the Domain Admins group for the domain and the Domain Admins group needs to be a member of the Administrators group on the target system. Alternative to the Domain Admins group being a member of the Administrators group on the target system, the domain user account could be a member of the Administrators group on the target system instead.

Important
When using a domain account, the target system (computer) must be a member of the SMB domain and must be able to communicate with the Domain Controller(s). If using a local user account, the account needs to be a member of the Administrators group on the target system and the User Account Control setting on the target system must be configured to Never Notify.

• .NET framework version 3.5 or higher must be installed on the target system.

• Windows PowerShell must be installed on the target system.

• File and Printer Sharing must be enabled on the target system and the Windows Firewall must be configured to allow File and Printer Sharing inbound.

• (Optional) To support the remote scanning of the Registry on the target system, the Remote Registry service must have its Startup option set to either Automatic (preferred) or Manual. If set to Manual, there may be a slight delay introduced when scanning a target(s).

Testing SMB Authentication from Outscan (HIAB)

1. Login to Outscan or the HIAB.

2. Click the icon in the lower left corner, select NetSec.

3. Select Manage Targets.

4. Among the list of targets, right-click a target and select Edit.

Next

1. Click the Authentication tab.

2. Select SMB for Authentication.

3. If using a domain account (preferred), type the SMB domain, username, and password values, then click the Test button.

4. Else if using a local account, provide the username and password values, then click the Test button.

If the above requirements are met, the result should be Success, as follows:

Error Messages

If the result indicates Failed, see the following error messages to determine the cause:

STATUS_NO_LOGON_SERVERS

Failed: {"level": 3, "timestamp": xxxxxxxxxx,xxxxxxx, "message": "SessionError: SMB SessionError: STATUS_NO_LOGON_SERVERS(No logon servers are currently available to service the login request…

This indicates that the Domain Controller (DC) is unavailable to validate the SMB domain credentials being used to login to the target system.

Solution:
Verify the Domain Controller (DC) is powered and accessible to the target system.

STATUS_TRUSTED_RELATIONSHIP_FAILURE

Failed: {"level": 3, "timestamp": xxxxxxxxxx,xxxxxxx, "message": "SessionError: SMB SessionError: STATUS_TRUSTED_RELATIONSHIP_FAILURE(The logon request failed because the trust relationship between this workstation and the primary domain failed.)”

This indicates that the target system has lost its membership to the domain.

Solution:
It is recommended to remove the target system (computer) from the domain, then rejoin the target system (computer) to the domain.

logging exception in both message and exception, some information will be lost

Failed: {"level": 4, "timestamp": xxxxxxxxxx,xxxxxxx, "message": "logging exception in both message and exception, some information will be lost"

This indicates that the Domain Controller (DC) is experiencing connectivity issues to validate the SMB domain credentials being used to login to the target system.

Solution:
Ensure DNS is properly set on the target system to ensure resolution to the Domain Controller (DC). Verify the Domain Controller (DC) is accessible to the target system. If a firewall is in use (either host-based or on the LAN), ensure it is configured to allow connectivity.

Invalid credentials

Failed: {"level": 5, "timestamp": xxxxxxxxxx,xxxxxxx, "message": "invalid credentials"

This indicates that the credentials being used to login to the target system is invalid.

• If using a domain account, verify the values specified for the SMB domain name, SMB username, or SMB password are correct.
  Additionally verify the target system (computer) is a member of the domain specified.

• If using a local account, verify the username and/or password is correct for use upon the target system.

Connection failed

Failed: {"level": 5, "timestamp": xxxxxxxxxx,xxxxxxx, "message": "connection failed"

This indicates that the target system is not online, or File and Printer Sharing is disabled, or the Windows Firewall or a network firewall is blocking ports associated with File and Printer Sharing.

Solution
Verify the target system is powered, online and accessible. Verify File and Printer Sharing is enabled on the target system. Additionally check to ensure the Windows Firewall is configured to allow File and Printer Sharing inbound.

Making payload

Failed: {"level": 6, "timestamp": xxxxxxxxxx.xxxxxxx, "message": "making payload"

This indicates that the user account specified is valid for login to the target system, but lacks sufficient rights.

Solution

• If using a domain user account, verify the Domain Admins group or the domain user account itself is a member of the Administrators group on the target system.

• If using a local user account, verify the user account is a member of the Administrators group on the target system AND verify the User Account Control feature is set to Never Notify.

Note: If the above is not applicable, there may be an issue with Windows PowerShell on the local system.
Verify that Windows PowerShell is installed and properly working on the target system.

If unsure:

1. Open a Command Prompt on the target system

2. In the command prompt type PowerShell and press Enter whereupon Windows PowerShell will be loaded and a PS prompt to be displayed.

Important: This error will appear if the target system is running Windows version 6.0 or less, for example, Windows 2008, Windows Vista, Windows 2003 R2, Windows 2003, Windows XP, etc. which would not support the use of Windows PowerShell.

Success (Unusual response from registry key)

Failed: Success (Unusual response from registry key)

This indicates that the user account specified is valid for login to the target system and has appropriate rights, but the Remote Registry service is set to Disabled on the target system.

Solution
Verify the Startup option for the Remote Registry service on the local system is not Disabled. Instead change the Startup option to either Automatic (preferred) or Manual.

When reviewing Findings within Outscan (HIAB)

In the Platform column, create a filter for (Any) Windows. In the Script ID column, create a filter for (=) “289075,289579,113237,1221986,1317055,1339914”.

Review the Findings for the target(s) and look for:

Script ID: 289075 – Name: SMB Supplied Login Credentials Success
Script ID: 289579 – Name: SMB Supplied Login Credentials Failure

If you observe:

This indicates the user account was able to login successfully, is a member of the Administrators group on the target system, was able to deploy the O24Auth service and acquire a listing of patches installed on the target system.

113237: SMB Registry Access Failure

If you observe:

This indicates the user account was able to login successfully, is a member of the Administrators group on the target system, was able to deploy the O24Auth service, was able to acquire a listing of patches installed on the target system, but was not able to scan the registry. Most likely the Remote Registry service is Disabled on the target system.

289579: SMB Supplied Login Credentials Failure

If you observe:

This indicates the user account was not able to login and therefore unable to access the Registry. Check to ensure the user account is valid. If using a domain account, ensure the target system is a member of the domain and has connectivity to the Domain Controller (DC).

1317055: Microsoft Windows: Retrieving Patches Failed

If you observe:

This indicates the user account was able to login successfully, but was not able to acquire a listing of patches. Nor could the Registry be scanned. Most like the user account is not a member Administrators group on the target system.

1339914: SMB Scan Misconfiguration

Additionally, look for Script ID: 1339914 Name: SMB Scan Misconfiguration, expand and review the Gathered Information for a potential cause. Examples may reflect:
The scanner was unable to start the scanning service on the target or Connection Failed: [Errno Connection error (x.x.x.x:445)] [Errno 110] Connection timed out.

Both are indicative there may be an endpoint security solution in use on the target system, blocking/preventing the installation of the O24Auth service.

Confirming Success of Login on the Target System Itself

On the target system, review the Windows Logs (Security log) and look for Keywords Audit Success with Event ID “4672” and Task Category Special Logon.
In the example of using a domain account called domainadmin in the domain called commodon, the successful login to the target system can be confirmed in the Security log as follows:

Confirming success of O24Auth service created/installed on the target system

On the target system, review the Windows Logs (System log) and look for Level Information with Event ID 7045 and Task Category None.
In the example of successfully creating and installing the O24Auth service, an event will be recorded as follows:

_Copyright

_{© 2025 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.}

_Trademark

_{Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.}