The last piece of the puzzle - XP host authentication

Tue Apr 19 17:41:28 CEST 2011

> -----Original Message-----
> From: freeradius-users-bounces+eastb=pffcu.org at lists.freeradius.org [mailto:freeradius-users-
> bounces+eastb=pffcu.org at lists.freeradius.org] On Behalf Of Phil Mayers
> Sent: Tuesday, April 19, 2011 11:15 AM
> To: freeradius-users at lists.freeradius.org
> Subject: Re: The last piece of the puzzle - XP host authentication
> 
> On 19/04/11 14:59, East, Bill wrote:
> 
> >> Have you made sure that your root cert is present in the right stores
> >> - remember windows clients have both machine and per-user cert stores.
> >> Machine auth requires it be in the machine store.
> >
> > Bah, I should have known that. It's fixed, now.
> 
> Cool
> 
> > This looks highly promising.
> >
> > I've got the syntax right in mschap now, I think, but the challenge is
> > still being created strangely (or is it supposed to look like that?)
> >
> > [mschapv2] # Executing group from file
> > /etc//raddb/sites-enabled/inner-tunnel
> > [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge
> > hash with username: host/LP-0010.pffcu.org [mschap] Told to do
> > MS-CHAPv2 for host/LP-0010.pffcu.org with NT-Password
> > [mschap]        expand: %{mschap:User-Name} ->  LP-0010$
> > [mschap]        expand: --username=%{%{mschap:User-Name}:-%{User-Name:-None}} ->  --
> username=LP-0010$
> > [mschap]  mschap2: ac
> > [mschap] Creating challenge hash with username: host/LP-0010.pffcu.org
> > [mschap]        expand: --challenge=%{mschap:Challenge:-00} ->  --
> challenge=cc01b9d88b911c44
> > [mschap]        expand: --nt-response=%{mschap:NT-Response:-00} ->  --nt-
> response=0a186dec8193bed90f305cabfc6f48f5a3621c58672b98a8
> 
> This all looks right (I have spent a distressing amount of time looking at MS-CHAP blobs this
> last week)
> 
> > Exec-Program output: Logon failure (0xc000006d)
> > Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
> 
> ...but obviously this didn't work.
> 
> What version of Samba do you have? Some (much) older versions didn't permit machine account
> login via ntlm_auth.

Latest and greatest, 3.5.8.

I'm wondering if this is the "loopback checking" issue from KB896861 and others. Since the hash is for "host/machinename"... I can modify the registry on my domain controller but I'm going to have to wait for our maintenance window to restart the damn thing.

This E-mail, along with any attachments, is considered confidential and may well be legally privileged. If you have received it in error, you are on notice of its status. Please notify us immediately by reply e-mail or call 215-931-0300 / 800-228-8801 and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person. Thank you for your cooperation.