Description

This article describes the cause of MSCHAPv2 authentication failure on FortiAuthenticator when NTLM is blocked, and outlines possible solutions

Scope

FortiAuthenticator.

Solution

Flow:

Go under FortiGate -> Radius -> FortiAuthenticator -> LDAP -> Windows Server 2025. The FortiGate may show the following error message when user credentials are tested:

The FortiAuthenticator logs may show the following message: 'The authentication failed because NTLM was blocked. (0xc0000418)':

Even when RADIUS debugging is enabled on the FortiAuthenticator, similar log entries are observed:

2025-06-09T23:46:44.451112-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: facauth: recv Access-Request from 10.5.146.16 port 16969, id=29, length=189
2025-06-09T23:46:44.451121-07:00 FortiAuthenticator radiusd[20891]: MS-CHAP2-Response = 0x0e00ad0ff0a4477e899f38265160fe0c41bd000000000000000067d273eb9cdfbd8ebf21ab479b9d18b507ca98f23b2d698b
2025-06-09T23:46:44.451128-07:00 FortiAuthenticator radiusd[20891]: MS-CHAP-Challenge = 0x6dbc8c6f09af90899ca662cca1a9f97f
2025-06-09T23:46:44.451134-07:00 FortiAuthenticator radiusd[20891]: User-Name = "userb"
2025-06-09T23:46:44.451140-07:00 FortiAuthenticator radiusd[20891]: NAS-Identifier = "erbium-kvm56"
2025-06-09T23:46:44.451146-07:00 FortiAuthenticator radiusd[20891]: Framed-IP-Address = 0.0.0.0
2025-06-09T23:46:44.451152-07:00 FortiAuthenticator radiusd[20891]: NAS-Port-Type = Virtual
2025-06-09T23:46:44.451158-07:00 FortiAuthenticator radiusd[20891]: Acct-Session-Id = "000010b40d3a4002"
2025-06-09T23:46:44.451164-07:00 FortiAuthenticator radiusd[20891]: Connect-Info = "test"
2025-06-09T23:46:44.451275-07:00 FortiAuthenticator radiusd[20891]: Fortinet-Vdom-Name = "root"
2025-06-09T23:46:44.451283-07:00 FortiAuthenticator radiusd[20891]: Message-Authenticator = 0x3bee7ef4f0713455eb8485aa7e1ceaa8
2025-06-09T23:46:44.451296-07:00 FortiAuthenticator radiusd[20891]: Event-Timestamp = "Jun 9 2025 23:46:44 PDT"
2025-06-09T23:46:44.451303-07:00 FortiAuthenticator radiusd[20891]: NAS-IP-Address = 10.5.146.16
2025-06-09T23:46:44.451310-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: ===>NAS IP:10.5.146.16
2025-06-09T23:46:44.451317-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: ===>Username:userb
2025-06-09T23:46:44.451332-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: ===>Timestamp:1749538004.451325, age:0ms
2025-06-09T23:46:44.451340-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: old_authtype: mschap (2992175)
2025-06-09T23:46:44.452786-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: Comparing client IP 10.5.146.16 with authclient FGT_Client (10.5.146.16, 1 IPs)
2025-06-09T23:46:44.452798-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: ------> matched!

2025-06-09T23:46:44.452810-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: Found authclient from preloaded authclients list for 10.5.146.16: FGT_Client (10.5.146.16)
2025-06-09T23:46:44.452821-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: authclient_id:1 auth_type:'password'
2025-06-09T23:46:44.455191-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: Found authpolicy 'FGT_Policy' for client '10.5.146.16'

2025-06-09T23:46:44.457174-07:00 FortiAuthenticator radiusd[20891]: (0) mschap: EXPAND --username=%{%{Stripped-User-Name}:-%{mschap:User-Name:-None}}
2025-06-09T23:46:44.457179-07:00 FortiAuthenticator radiusd[20891]: (0) mschap: --> --username=userb
2025-06-09T23:46:44.457191-07:00 FortiAuthenticator radiusd[20891]: (0) mschap: EXPAND --domain=%{%{Fortinet-User-Realm}:-}
2025-06-09T23:46:44.457196-07:00 FortiAuthenticator radiusd[20891]: (0) mschap: --> --domain=
2025-06-09T23:46:44.457212-07:00 FortiAuthenticator radiusd[20891]: (0) mschap: Creating challenge hash with username: userb
2025-06-09T23:46:44.457374-07:00 FortiAuthenticator radiusd[20891]: (0) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
2025-06-09T23:46:44.457383-07:00 FortiAuthenticator radiusd[20891]: (0) mschap: --> --challenge=318f1b696b71f797
2025-06-09T23:46:44.457400-07:00 FortiAuthenticator radiusd[20891]: (0) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
2025-06-09T23:46:44.457406-07:00 FortiAuthenticator radiusd[20891]: (0) mschap: --> --nt-response=67d273eb9cdfbd8ebf21ab479b9d18b507ca98f23b2d698b
2025-06-09T23:46:44.494122-07:00 FortiAuthenticator radiusd[20891]: (0) mschap: ERROR: Program returned code (1) and output 'The authentication failed because NTLM was blocked. (0xc0000418)'
2025-06-09T23:46:44.494318-07:00 FortiAuthenticator radiusd[20891]: (0) mschap: External script failed
2025-06-09T23:46:44.494378-07:00 FortiAuthenticator radiusd[20891]: (0) mschap: ERROR: External script says: The authentication failed because NTLM was blocked. (0xc0000418)
2025-06-09T23:46:44.494431-07:00 FortiAuthenticator radiusd[20891]: (0) mschap: ERROR: MS-CHAP2-Response is incorrect
2025-06-09T23:46:44.494501-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: [mschap] = reject
2025-06-09T23:46:44.494544-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: } # authenticate = reject
2025-06-09T23:46:44.494595-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: Module-Failure-Message: mschap: Program returned code (1) and output 'The authentication failed because NTLM was blocked. (0xc0000418)'
2025-06-09T23:46:44.494640-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: MS-CHAP-Error: \016E=691 R=1 C=c9cdaba65d88486a18c0f9dfc5d6471c V=3 M=Authentication rejected
2025-06-09T23:46:44.494681-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: Remote Windows AD user authentication failed
2025-06-09T23:46:44.494728-07:00 FortiAuthenticator radiusd[20891]: update_user_lockout: fail_count=0 locking_period=-1 locking_reason=-1
2025-06-09T23:46:44.494771-07:00 FortiAuthenticator radiusd[20891]: Checking if IP (0.0.0.0) is IP-lockout exempted.
2025-06-09T23:46:44.494818-07:00 FortiAuthenticator radiusd[20891]: update_ip_lockout for non-admin login attempt from IP (0.0.0.0): locking_period=60 locking_reason=2
2025-06-09T23:46:44.494872-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: update_fac_authlog:165 nas_str = 10.5.146.16~0.0.0.0.
2025-06-09T23:46:44.496101-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: Updated auth log 'userb' for attempt from 10.5.146.16~0.0.0.0: Windows AD user authentication from 0.0.0.0 (mschap) with no token failed: AD auth error: The authentication failed because NTLM was blocked. (0xc0000418)
2025-06-09T23:46:44.496289-07:00 FortiAuthenticator radiusd[20891]: (0) facauth: facauth: print reply attributes of request id 29:
2025-06-09T23:46:44.496345-07:00 FortiAuthenticator radiusd[20891]: Message-Authenticator := 0x00
2025-06-09T23:46:44.496404-07:00 FortiAuthenticator radiusd[20891]: MS-CHAP-Error = "\016E=691 R=1 C=c9cdaba65d88486a18c0f9dfc5d6471c V=3 M=Authentication rejected"
2025-06-09T23:46:44.496444-07:00 FortiAuthenticator radiusd[20891]: (0) [facauth] = reject
2025-06-09T23:46:44.496477-07:00 FortiAuthenticator radiusd[20891]: (0) } # Auth-Type FACAUTH = reject
2025-06-09T23:46:44.496522-07:00 FortiAuthenticator radiusd[20891]: (0) Failed to authenticate the user
2025-06-09T23:46:44.496578-07:00 FortiAuthenticator radiusd[20891]: (0) Using Post-Auth-Type Reject

Even on the AD event logs, the TLM block event is appearing:

Upon checking the GPO policy, 'Restrict NTLM' is visible. NTLM authentication in this domain is set to deny, and post changing it to disabled, it starts working.

It shows successful on FortiAuthenticator logs: