Windows Authentication Method QID (70028) provides important information about whether the service was able to authenticate to the host. This QID is detected on many hosts since the service attempts NULL session authentication if the service did not perform successful authentication using user-provided credentials (as defined in an authentication record).
It's recommended that you review the information in the Results section to confirm that authentication to the host was performed successfully. Important! The presence of this QID in your scan results does not mean that authentication was successful using user-provided credentials (as defined in an authentication record). Please review the detailed scan results for QID 70028 carefully.
The Results section for QID 70028 provides the following information.
The user name of the account which was used for authentication. The value "(none)" appears when authentication failed.
The domain name when domain-level authentication was successful. The value "(none)" appears when domain-level authentication was not used.
The name of the authentication scheme used for authentication. The service attempts authentication using the schemes available on the target host, starting from the most secure scheme to the least secure scheme. The value "NULL session" appears when the service performed authentication using NULL session.
The security access level used for authentication, user-based or share-based, depending on the Windows version running on the target host.
User-based: Access control to a file, printer or other network resource based on username. It provides greater protection than share-level security, because users are identified individually or within a group. User-level permissions are stored in a central server and managed by the network administrator.
Share-based: Access control to a file, printer or other network resource based on knowing the password of that resource. Share-level security provides less protection than user-level security, which identifies each person in the organization. This level of access control is implemented on older Windows systems.
The value identifies whether SMB signing is Enabled or Disabled on the host.
A discovery method (one method is identified):
value |
description |
Login credentials provided by the user |
The service found credentials for the target host (in an authentication record), and authentication to the host was successful. The authentication record used is shown in the Authentication Record field. |
Unable to log in using credentials provided by the user, fallback to NULL session |
The service found credentials for the host (in an authentication record), but the credentials didn’t work and authentication was not successful. The credentials used were incorrect or out of date, or the service was locked out when trying to perform authentication. |
NULL session, no valid login credentials provided or found |
The service did not find valid credentials for the host (in any authentication record). Authentication using NULL session may have been successful. An authentication record, which identifies login credentials and the host, must be defined. |
The title of the authentication record used for authentication to the host, when authentication was successful using user-provided login credentials (in an authentication record).
Your account may include multiple Windows authentication records. To learn how the scanning engine chose the authentication record that was used for authentication, see Multiple Windows Authentication Records.