definitive info on authenticating to AD via NTLMv2

Phil Mayers p.mayers at imperial.ac.uk
Tue Mar 26 16:00:05 CET 2013


On 26/03/2013 14:21, Alex Sharaz wrote:
> Hi., I've been running ntlm_auth to authenticate our 802.1x users
> against AD for a number of months without problems…… until this
> morning when our Systems group tightened up auth requirements to only
> use NTLMv2. and my ntlm_auth module started failing

As Alan says - you're hosed. They will need to rollback the change if 
you want Samba/ntlm_auth to continue working.

> All the web stuff I've found doesn;t seem to mention v2 at all. Back
> in the dim and distant past I got round the ntlm v2 issue when using
> OSC Radiator by proxying off auths to Radiator running on a windows
> machine bound to AD and using their AuthBy LSA authentication
> mechanism.

When you say "windows machine", do you mean "ordinary domain member" as 
opposed to "domain controller"?

If so, this is interesting. It suggests that MSCHAP can still be checked 
with NTLMv2 enforced, just not via whatever API Samba/ntlm_auth uses.

You should ask on the Samba lists - if a windows domain member can do 
it, there must be a newer API/RPC which Samba could implement.

It is possible, though unlikely IMO, that one of the other ntlm_auth 
modes, such as

--helper-protocol=ntlm-server-1

...use different RPCs, and may work. If you can, try and get a valid 
challenge/response pair, and then drive ntlm_auth using the 
ntlm-server-1 protocol (see "man ntlm_auth"). If that works, it would be 
possible in theory to use a wrapper script. But IIRC, it's the same code 
path, so Samba fixes will be needed.

The other "option" (yuck) is to run NPS (or Radiator) on a Windows 
server, and proxy your MSCHAP to that. But if other RADIUS servers have 
the ability to work with NTLMv2 enforced, it would be nice to get it 
with FR too.


More information about the Freeradius-Users mailing list