authenticate machine accounts with ntlm_auth

Kris Benson kbenson at
Mon Aug 1 02:29:04 CEST 2005

>> I'm very frustrated now after spending a couple of weeks trying to get
>> free radius to authenticate my Win2k machine accounts against active
>> directory. :-(
>  Sorry, blame Microsoft.  It isn't possible, but they don't make it
>obvious that it's not possible.
>> Alan, do you know of any way to get this working.  I have been assured
>> that Funk can do this, have you any idea how Funk are doing it.  Funk
>> costs too much.  Maybe I'm not allowed to ask such questions.
>  Funk does it by running the radius server on the AD server.  At that
>point, they can use *internal* Windows API's or hacks to get at the
>data.  Since FreeRADIUS is running externally, it can't use those
>API's, and thus won't work.
>  FreeRADIUS *will* run on XP.  If someone were to write the necessary
>code, you could run the server on XP, and do what Funk does.

It sounds to me like you're saying this is a server-side issue.  Since AD
is available via LDAP, why couldn't this FreeRadius install just use
rlm_ldap to access the machine account info in AD?

The Microsoft side of things isn't my greatest strength, least of all the
AD/LDAP stuff, but it seems as though this *should* work.


Kris Benson, CCP, I.S.P.
Technical Analyst, District Projects
School District #57 (Prince George)

More information about the Freeradius-Users mailing list