Jason Creech

Authenticated Scanning:  Scan Credential Character Length Impact on Authenticated Scanning

Discussion created by Jason Creech on Oct 30, 2012

Hello All,

 

In effort to share trouble-shooting tips and techniques, this discussion covers a scenario where scan credential length can impact successful authenticated scanning in AD environments.

 

A Qualys customer recently reported having discovered a root cause of some authenticated PC scans failing with the "failed authentication" message using Active Directory authentication.

 

In this case, they found that scan account names greater than 20 characters were resulting in failed authentication was an AD restriction.

 

For backwards compatability with older platforms, the SAMAccountName is limited to 20 characters and, in this case, one region had created a scan credential that was 21 characters long and encountering the authentication issues.

 

The truncation of the account that occurred resulted in failed authentication but as soon as they reran the scan against those assets using an account name 20 characters or less, they went to 100% success for Windows authentication during Policy Compliance scans.

 

There is an MSDN article with more detail at this link:

 

http://msdn.microsoft.com/en-us/library/ms679635.aspx

 

Best regards,

 

Jason Creech

Qualys

Outcomes