Forum Discussion
Solved
The remote NGC session was denied.
Hi.
I was reviewing sign-in Logs for a user in Sentinel and came across an entry that has the following:
ResultType: 1003033
ResultDescription: The remote NGC session was denied.
Authentication methond: Passwordless phone sign-in
I have tried to search for this result type/description online but cannot find anything about it.
Has anyone come across this? Do you know what it is related to??
Hi Both, We have recently run into the same issue and had a chat with MS after reviewing our conditional access policies for possible denies as the connection that was denied came from a TOR exit node with no Geo location. The actual reference in this instance to NGC is actually referring to Next Generation Credentials, like passwordless authentication. The error is not related to a conditional access policy, including one targeting a GeoCoordinate setting.
This sign-in refers to passwordless authentication using the Microsoft Authenticator app, for example. An 1003033 error occurs when a user attempts to authenticate with the tenant that sent an authentication request to the registered Microsoft Authenticator app, and the error signifies that the user manually denied the authentication request in the Microsoft Authenticator app.
Hi Both, We have recently run into the same issue and had a chat with MS after reviewing our conditional access policies for possible denies as the connection that was denied came from a TOR exit node with no Geo location. The actual reference in this instance to NGC is actually referring to Next Generation Credentials, like passwordless authentication. The error is not related to a conditional access policy, including one targeting a GeoCoordinate setting.
This sign-in refers to passwordless authentication using the Microsoft Authenticator app, for example. An 1003033 error occurs when a user attempts to authenticate with the tenant that sent an authentication request to the registered Microsoft Authenticator app, and the error signifies that the user manually denied the authentication request in the Microsoft Authenticator app.- The biggest concern was whether or not the credentials were actually compromised (which they weren't). I didn't have any luck with Microsoft support on this. They kept asking me to delete the NGC folder on machine and I knew that wasn't the issue.
With these NGC events they do not need to know your password as the auth takes place with a passwordless auth session. To replicate this try the following:
When you log into the windows portal with your email the next phase will ask for a password, in this phase the TA will not use a password but select "Use an app instead" where a number matching request will be sent to your enrolled device. From your device cancel the request to generate the event - 1003033 in AAD.
The TA will only ever know your email address for this attack, not your password. if they knew your password they would utilise the password, click next and hit the MFA auth pane for the chosen MFA auth input (if you have MFA configured)
To see the relevant logs within AAD use:
SigninLogs
| where TimeGenerated > ago(7d)
| extend errorCode_ = tostring(Status.errorCode)
| where errorCode_ == "1003033"
Change the timegenerated to whatever sees fit to cover your scope of events. I've re-created the attack and canceled the request on the app to replay the attack and confirm the event appears.
- Thank you so much for this. I also came to this conclusion after I talked with a support engineer from Microsoft a few days ago.
- GBushey
Microsoft
This information is coming from AAD. I did find this that may help you understand it: https://learn.microsoft.com/en-us/answers/questions/1162134/the-remote-ngc-session-was-deniedThank you for this. I was the one who made this post on the other forum. However I spoke to the Microsoft Customer representative for my company and he said NGC stands for Next Generation Credentials. It describes up and coming forms of authentication e.g. Windows Hello for business, face ID etc.
- What's odd is I'm 100% sure my credentials weren't compromised. Could they of triggered an MFA prompt trying to sign in passwordless?
- Yep - I'm with you MorbrosIT - I've changed my MS creds twice and only just now i've turned off the passwordless authentication as its almost like that was somehow used against my account. Not great waking up to auth prompts on your mobile at 3am from USA when we reside on the other side of the world.
- Thanks for the information, it does provide some insight. I do have some block locations (not the one for that IP) and is odd that it only happen a few times that day in a couple of accounts.
- I am seeing the same here. by any chance is the IP is 172.81.63.xxx. it just started today for us.
We've got the same logs and also don't understand what is causing this... hopefully someone from MS can clear the air.Extraordinaire20
