freeradius auth in win AD
Alan DeKok
aland at deployingradius.com
Thu Jun 16 15:58:11 CEST 2016
On Jun 16, 2016, at 8:19 AM, Zenon Matuszyk <zenon.matuszyk at networkers.pl> wrote:
>
> Hello,
>
> I have a little problem with auth in Windows AD by using userPrincipalName (using samAccountName works fine). In mschap file i have:
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
> and ldap file:
>
> filter = "(userPrincipalName=%{%{Stripped-User-Name}:-%{User-Name}})"
>
> In debug I see:
...
> [mschap] Creating challenge hash with username: aa.aa at stud.wcc.domain.pl
> [mschap] Told to do MS-CHAPv2 for aa.aa at stud.wcc.domain.pl with NT-Password
> [mschap] expand: %{Stripped-User-Name} ->
> [mschap] ... expanding second conditional
> [mschap] expand: %{User-Name} -> aa.aa at stud.wcc.domain.pl
> [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name}} -> --username=aa.aa at stud.wcc.domain.pl
> [mschap] Creating challenge hash with username: aa.aa at stud.wcc.domain.pl
> [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=1282528812d8f6bb
> [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=484795e959127ad898fd4230c3e3f52cbd19297d084e00d5
> Exec-Program output: Logon failure (0xc000006d)
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
That seems definitive.
The name / password is incorrect.
Alan DeKok.
More information about the Freeradius-Users
mailing list