On Fri, Nov 27, 2015 at 12:10 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 27/11/15 09:44, Franks Andy (IT Technical Architecture Manager) wrote:
Anything inside the EAP tunnel doesn't like you playing with the username though, so we can't do UPN based MSCHAPv2 lookup - UPN format doesn't work, as far as I can tell, with the ntlm_auth program and I can't update the username. I can force the mschap auth process to use an alternative user name, but the hash then doesn't work, and I can't work out how to update the mschap:user-name. All this is
Altering the in-packet username or the username on the ntlm_auth command line is futile; as you've indicated, the client does the crypto on the basis of the UPN, and that's what you need to pass to ntlm_auth so that it can be in turn passed to the DC and mixed into the chal/resp verification/calculation correctly.
I was under the impression that ntlm_auth should work with a UPN where LHS != samaccountname, but it's really a Samba question - I'd suggest asking on the Samba list.
I also suspect the bug is in samba. I think windows assumes UPN when it sees the '@' sign and will retrieve the correct user. I can tell that UPN (where LHS!=samaccountname) works fine with HTTP againts IIS using NTLM authentication.