Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
sjoshi
Staff
Staff

Created on ‎06-04-2025 10:16 PM

Article Id 393224

Troubleshooting Tip: FortiAuthenticator MSCHAPv2 Fails with AD Response: NTLM Block (0xc0000418)

Description

 

This article describes a FortiAuthenticator authentication failure encountered during an MSCHAPv2 login attempt.

The issue arises when the Active Directory (AD) server rejects the authentication due to NTLM being blocked, returning error code 0xc0000418.

 

The log indicates that FortiAuthenticator successfully sends a challenge to the AD server and receives an NTLM response, but the authentication ultimately fails due to AD policy restrictions on NTLM usage.

 

Scope

 

FortiAuthenticator.

 

Solution

 

Flow: Go under FortiGate -> Radius -> FortiAuthenticator -> LDAP -> Windows Server 2025.

 

On the FortiAuthenticator Radius Debug:

 

2025-05-09T16:41:43.116866+05:30 FortiAuthenticator radiusd[9071]: (4) facauth: facauth:
recv Access-Request from 192.168.200.4 port 12079, id=246, length=186
2025-05-09T16:41:43.116870+05:30 FortiAuthenticator radiusd[9071]: MS-CHAP2-Response =
0x1700177b26c54076764e6098e7958783a6880000000000000000616a64ecb7cefa5fa3f7d9525e
84571c52d2747e9b1b0383
2025-05-09T16:41:43.116873+05:30 FortiAuthenticator radiusd[9071]: MS-CHAP-Challenge =
0x4cd19574138a852ffacb123b3851059a
2025-05-09T16:41:43.116875+05:30 FortiAuthenticator radiusd[9071]: User-Name =
"test.user"
2025-05-09T16:41:43.116887+05:30 FortiAuthenticator radiusd[9071]: NAS-Identifier = "HA"
2025-05-09T16:41:43.116892+05:30 FortiAuthenticator radiusd[9071]: Framed-IP-Address =
0.0.0.0
2025-05-09T16:41:43.116895+05:30 FortiAuthenticator radiusd[9071]: NAS-Port-Type =
Virtual
2025-05-09T16:41:43.116897+05:30 FortiAuthenticator radiusd[9071]: Acct-Session-Id =
"00005e080e2ae001"
2025-05-09T16:41:43.116900+05:30 FortiAuthenticator radiusd[9071]: Connect-Info = "test"
2025-05-09T16:41:43.116910+05:30 FortiAuthenticator radiusd[9071]: Fortinet-Vdom-Name =
"root"
2025-05-09T16:41:43.116915+05:30 FortiAuthenticator radiusd[9071]: Message-Authenticator
= 0x361ebcb4654d48666452fe75fed18581
2025-05-09T16:41:43.116918+05:30 FortiAuthenticator radiusd[9071]: Event-Timestamp =
"May 9 2025 16:41:43 IST"
2025-05-09T16:41:43.116925+05:30 FortiAuthenticator radiusd[9071]: NAS-IP-Address =
192.168.200.4
2025-05-09T16:41:43.116929+05:30 FortiAuthenticator radiusd[9071]: (4) facauth: ===>NAS
IP:192.168.200.4
2025-05-09T16:41:43.116939+05:30 FortiAuthenticator radiusd[9071]: (4) facauth:
===>Username:test.user
2025-05-09T16:41:43.116946+05:30 FortiAuthenticator radiusd[9071]: (4) facauth:
===>Timestamp:1746789103.116615, age:0ms
2025-05-09T16:41:43.116950+05:30 FortiAuthenticator radiusd[9071]: (4) facauth:
old_authtype: mschap (13670951)
2025-05-09T16:41:43.118577+05:30 FortiAuthenticator radiusd[9071]: (4) facauth: Policy
[fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject]
2025-05-09T16:41:43.118581+05:30 FortiAuthenticator radiusd[9071]: (4) facauth: Decided on
[is_fido: false, two_factor: allow both, token_type: none]
2025-05-09T16:41:43.118589+05:30 FortiAuthenticator radiusd[9071]: (4) facauth: Added
Stripped-User-Name with value test.user
2025-05-09T16:41:43.118738+05:30 FortiAuthenticator radiusd[9071]: (4) facauth:
check_user_lockout: fail_count=0 period=-1 reason=-1
2025-05-09T16:41:43.118863+05:30 FortiAuthenticator radiusd[9071]: (4) facauth: # Executing
group from file /usr/etc/raddb/sites-enabled/default
2025-05-09T16:41:43.118867+05:30 FortiAuthenticator radiusd[9071]: (4) facauth: authenticate
{
2025-05-09T16:41:43.118875+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: Creating
challenge hash with username: test.user
2025-05-09T16:41:43.118879+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: Client is
using MS-CHAPv2
2025-05-09T16:41:43.118908+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: EXPAND
%{Fortinet-Ldap-Server-Id}
2025-05-09T16:41:43.118914+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: --> 2
2025-05-09T16:41:43.118929+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: EXPAND --
username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
2025-05-09T16:41:43.118935+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: --> --
username=test.user
2025-05-09T16:41:43.118946+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: EXPAND --
domain=%{%{Fortinet-User-Realm}:-}
2025-05-09T16:41:43.118951+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: --> --
domain=
2025-05-09T16:41:43.118964+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: Creating
challenge hash with username: test.user
2025-05-09T16:41:43.118973+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: EXPAND --
challenge=%{mschap:Challenge:-00}
2025-05-09T16:41:43.118979+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: --> --
challenge=21bd2170b6c3d09b >> FortiAuthenticator sent a MSCHAP challenge to the AD
server
2025-05-09T16:41:43.118994+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: EXPAND --
nt-response=%{mschap:NT-Response:-00
2025-05-09T16:41:43.119000+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: --> --nt-
response=616a64ecb7cefa5fa3f7d9525e84571c52d2747e9b1b0383 } >> Now this is the
response from the AD server
2025-05-09T16:41:43.145827+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: ERROR:
Program returned code (1) and output 'The authentication failed because NTLM was blocked.
(0xc0000418)' >> Here the NTLM block message is coming in the response packet from the AD server
2025-05-09T16:41:43.145851+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: External
script failed
2025-05-09T16:41:43.145854+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: ERROR:
External script says: The authentication failed because NTLM was blocked. (0xc0000418)
2025-05-09T16:41:43.145858+05:30 FortiAuthenticator radiusd[9071]: (4) mschap: ERROR:
MS-CHAP2-Response is incorrect
2025-05-09T16:41:43.145870+05:30 FortiAuthenticator radiusd[9071]: (4) facauth: [mschap] =
reject
2025-05-09T16:41:43.145874+05:30 FortiAuthenticator radiusd[9071]: (4) facauth: } #
authenticate = reject
2025-05-09T16:41:43.145881+05:30 FortiAuthenticator radiusd[9071]: (4) facauth: Module-
Failure-Message: mschap: Program returned code (1) and output 'The authentication failed
because NTLM was blocked. (0xc0000418)'

 

025-05-09T16:41:43.145885+05:30 FortiAuthenticator radiusd[9071]: (4) facauth: MS-CHAP-
Error: \027E=691 R=1 C=96b6c7a40cfa9cb942b21e2530e11db1 V=3 M=Authentication
rejected
2025-05-09T16:41:43.145888+05:30 FortiAuthenticator radiusd[9071]: (4) facauth: Remote
Windows AD user authentication failed
025-05-09T16:41:43.161492+05:30 FortiAuthenticator radiusd[9071]: (4) facauth:
update_fac_authlog:164 nas_str = 192.168.200.4~0.0.0.0.
2025-05-09T16:41:43.161532+05:30 FortiAuthenticator radiusd[9071]: (4) facauth: Updated
auth log 'test.user' for attempt from 192.168.200.4~0.0.0.0: Windows AD user authentication
from 0.0.0.0 (mschap) with no token failed: AD auth error: The authentication failed because
NTLM was blocked. (0xc0000418)
2025-05-09T16:41:43.161547+05:30 FortiAuthenticator radiusd[9071]: (4) facauth: facauth:
print reply attributes of request id 246:
2025-05-09T16:41:43.161554+05:30 FortiAuthenticator radiusd[9071]: Message-Authenticator
:= 0x00
2025-05-09T16:41:43.161566+05:30 FortiAuthenticator radiusd[9071]: MS-CHAP-Error =
"\027E=691 R=1 C=96b6c7a40cfa9cb942b21e2530e11db1 V=3 M=Authentication rejected"
2025-05-09T16:41:43.161575+05:30 FortiAuthenticator radiusd[9071]: (4) [facauth] = reject
2025-05-09T16:41:43.161580+05:30 FortiAuthenticator radiusd[9071]: (4) } # Auth-Type
FACAUTH = reject
2025-05-09T16:41:43.161585+05:30 FortiAuthenticator radiusd[9071]: (4) Failed to
authenticate the user

 

This is the FortiAuthenticator logging the response (the authentication failed because NTLM was blocked. (0xc0000418)) from the AD server to its NTLM authentication attempt.

Therefore, something on the AD server side is blocking the FortiAuthenticator NTLM authentication requests, which needs to be checked on the AD side.

 

Here is the full flow and where it breaks:

  • FortiGate sends a RADIUS request to FortiAuthenticator with MSCHAPv2 details.
  • FortiAuthenticator extracts the username and challenge → begins MSCHAP handshake.
  • FortiAuthenticator (joined to AD or using LDAP bind) sends an NTLM authentication attempt to the Domain Controller (DC).
  • The Domain Controller rejects it, returning error 0xc0000418.

 

On the debug also it is on the response that is coming from the AD server to the FortiAuthenticator, showing as NTLM blocked.

492
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.