[RADIATOR] NTLM Failures to Active Directory
Heikki Vatiainen
hvn at open.com.au
Fri Sep 15 16:38:28 UTC 2023
On 8.9.2023 0.55, Ullfig, Roberto Alfredo via radiator wrote:
> This is what the process looks like:
>
> /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
>
> so we're using NTLM v1 correct? Is that the proper way to run ntlm_auth?
That is a proper way to run ntlm_auth. What you could do is to add a
flag to ntlm_auth parameters. The flag is: --allow-mschapv2
With this flag it's still possible to use MSCHAP based authentication
methods even if older authentication methods are otherwise disabled on
the Windows server. For more information, see this:
https://files.radiatorsoftware.com/radiator/ref/AuthByNTLM.html#Domain_AuthByNTLM-3
My understanding is that MSCHAP and MSCHAPv2 always require NTLM v1.
Parameter --helper-protocol=ntlm-server-1 sets the method Radiator and
ntlm_auth communicate with each other. It determines how the information
is formatted between the two and it does not set the NTLM version. For
more, see here:
https://www.samba.org/samba/docs/current/man-html/ntlm_auth.1.html
Thanks,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
More information about the radiator
mailing list