Application Verifier - Stop Codes - NTLM
The following stop codes are contained in this set of tests.
AcquireCredentialsHandle acquires NTLM credential explicitly.
Probable causeAcquireCredentialsHandle is called directly or indirectly by the application with pszPackage = 'NTLM'. 'Negotiate' should be used to fix this issue. An example of bad call: AcquireCredentialsHandle( ... 'NTLM', // pszPackage ... ); An example of good call: AcquireCredentialsHandle( ... 'Negotiate', // pszPackage ... ); Please refer to help for more detailed information of this stop code.
Information displayed by Application Verifier- Parameter 1 - Not used.
- Parameter 2 - Not used.
- Parameter 3 - Not used.
- Parameter 4 - Not used.
- Test Layer: NTLMCaller
- Stop ID: ACH_EXPLICIT_NTLM_PACKAGE
- Stop code: 5000000
- Severity: Error
- One-time error: no
- Error report: Break
- Log to file: yes
- Create backtrace: yes
AcquireCredentialsHandle prefers NTLM credentials. Please see Param1 for the value of PackageList.
Probable causeAcquireCredentialsHandle is called directly or indirectly by the application with pszPackage = 'Negotiate'. However, NTLM is preferred in supplied credential (pAuthData). An example of bad call: AcquireCredentialsHandle( ... 'Negotiate', // pszPackage ... pAuthData, // pAuthData, ((SEC_WINNT_AUTH_IDENTITY_EX*)pAuthData)->PackageList is 'NTLM' or 'NTLM,KERBEROS' etc. ... ); An example of good call: AcquireCredentialsHandle( ... 'Negotiate', // pszPackage ... pAuthData, // pAuthData, ((SEC_WINNT_AUTH_IDENTITY_EX*)pAuthData)->PackageList = NULL or NTLM is less preferred. ... ); Please refer to help for more detailed information of this stop code.
Information displayed by Application Verifier- Format: - Packagelist: %.*hs%.*ws
- Parameter 1 - PackageList.
- Parameter 2 - Not used.
- Parameter 3 - Not used.
- Parameter 4 - Not used.
- Test Layer: NTLMCaller
- Stop ID: ACH_IMPLICITLY_USE_NTLM
- Stop code: 5000001
- Severity: Error
- One-time error: no
- Error report: Break
- Log to file: yes
- Create backtrace: yes
AcquireCredentialsHandle mistakenly uses '-NTLM' to exclude NTLM credential. Please see Param1 for the value of PackageList.
Probable causeAcquireCredentialsHandle is called directly or indirectly by the application with supplied credential (pAuthData), in which '-NTLM' is mistakenly used to exclude NTLM credential. '!NTLM' should be used to fix this issue. An example of bad call: AcquireCredentialsHandle( ... 'Negotiate', // pszPackage ... pAuthData, // pAuthData, ((SEC_WINNT_AUTH_IDENTITY_EX*)pAuthData)->PackageList uses '-NTLM'. ... ); An example of good call: AcquireCredentialsHandle( ... 'Negotiate', // pszPackage ... pAuthData, // pAuthData, ((SEC_WINNT_AUTH_IDENTITY_EX*)pAuthData)->PackageList uses '!NTLM'. ... ); Please refer to help for more detailed information of this stop code.
Information displayed by Application Verifier- Format: - PackageList: %.*hs%.*ws
- Parameter 1 - PackageList.
- Parameter 2 - Not used.
- Parameter 3 - Not used.
- Parameter 4 - Not used.
- Test Layer: NTLMCaller
- Stop ID: ACH_BAD_NTLM_EXCLUSION
- Stop code: 5000002
- Severity: Error
- One-time error: no
- Error report: Break
- Log to file: yes
- Create backtrace: yes
InitializeSecurityContext uses NULL target or malformed target for Kerberos service. Please see pszTargetName for the value of the target.
Probable causeInitializeSecurityContext is called directly or indirectly by the application with pszTargetName being NULL or malformed, with which Kerberos cannot be possibly negotiated. The guidance to fix this issue to use Kerberos is provided as below: (1) The service the client application authenticates to should have its SPN uniquely registered in its forest; (2) The service must run under the identity,domain user or computer account, with this SPN registered; (3) InitializedSecuirtyContext should be called with this SPN. An example of bad call: InitializeSecurityContext( ... NULL, // pszTargetName ... ); Another example of bad call: InitializeSecurityContext( ... '\\\\localhost', // pszTargetName ... ); An example of good call: InitializeSecurityContext( ... 'myservice/mymachine.mydomain.com', // pszTargetName, myservice/mymachine.mydomain.com is a uniquely registered SPN under which the service runs. ... ); Please refer to help for more detailed information of this stop code.
Information displayed by Application Verifier- Format: - pszTargetName: %hs%ws
- Parameter 1 - Not used.
- Parameter 2 - Not used.
- Parameter 3 - Not used.
- Parameter 4 - Not used.
- Test Layer: NTLMCaller
- Stop ID: ISC_MALFORMED_TARGET
- Stop code: 5000003
- Severity: Error
- One-time error: no
- Error report: Break
- Log to file: yes
- Create backtrace: yes
The client application downgrades to use NTLM authentication as the result of negotiation. Please see pAuthData for more details. pAuthData shows the credential and the target used for this negotiation.
Probable causeThe client application downgrades to use NTLM authentication as the result of negotiation. There can be many reasons for this issue. The guidance of troubleshooting this issue is provided as below: (1) Turn on NTLMCaller appverifier layer if it was not on. This layer will catch commonly known issues that can cause the downgrade; (2) If pszTargetName is an SPN, make sure this SPN is uniquely registered in the forest (the SPN cannot be missing or duplicated); (3) The SPN must be looked up by the client system running client application; (4) The service must run under an identity with its Kerberos credential available; (5) The scenario should be reviewed by Windows security experts. Please refer to help for more detailed information of this stop code.
Information displayed by Application Verifier- Format: - pAuthData: %ws \n\tUser: %hs%ws \n\tDomain: %hs%ws \npszTargetName: %hs%ws
- Parameter 1 - Not used.
- Parameter 2 - Not used.
- Parameter 3 - Not used.
- Parameter 4 - Not used.
- Test Layer: NTLMDowngrade
- Stop ID: FALLBACK_TO_NTLM
- Stop code: 5010000
- Severity: Warning
- One-time error: no
- Error report: None
- Log to file: yes
- Create backtrace: yes
See Also
Application Verifier - Stop Codes and Definitions
Application Verifier - Overview
Application Verifier - Features
Application Verifier - Testing Applications
Application Verifier - Tests within Application Verifier