Francois Gaudreault wrote:
I had a look in the LDAP, and the ntPassword is having the correct lenght : ntPassword: 44AFA3XXXXXXXXXXXXXXXXXXXXXXX856
Yup. That's the hex version.
I did enable pap, but without success. ... [pap] Normalizing NT-Password from hex encoding
That's something, at least.
[pap] WARNING: Auth-Type already set. Not setting to PAP ... [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] Found NT-Password [mschap] Creating challenge hash with username: host/dti-dahport [mschap] Told to do MS-CHAPv2 for host/dti-dahport with NT-Password [mschap] FAILED: MS-CHAP2-Response is incorrect
Is it possible that the issue is somewhere else? The nt/lmPassword are properly handled when we do user auth, and the printout in debug is also in a 0xsomething format.
The issue could be somewhere else. From what I recall, host authentication is... weird. The name in the MS-CHAP blob might *not* be the same as the User-Name field. If that happens, the calculated response using the User-Name will be wrong. Grab the debug output and use it as a test case. You should be able to replay the packets verbatim. Configure a static password. Also try configuring "MS-CHAP-User-Name", which will end up being the name used for the MS-CHAP calculations. Decode the MS-CHAP blobs manually to see if the name in them is the same as the User-Name. Alan DeKok.