B
Ben Hanson
I have been working with MS on a strange RADIUS authentication issue. After
going back and forth with them for quite some time we discovered that the
problem was a GP setting for authentication options (Respond with NTLM v.2
only, reject LM and NTLM). If I backed this policy off to permit any of the
three, it worked.
Although this solved the problem the solution did not make sense to me. The
PPTP VPN clients were configured to use only MS-CHAP v.2 and the GP was set
to only permit the use of NTLM v.2. In my mind at least this should have
worked but obviously it did not. I started to press MS to explain this
behavior.
The support tech said a few things but I could tell he was drawing at straws
a bit so I had him bump it up the ladder and the response we got from one of
the internal AD architecture guys at MS was the subject line above. The
logic being, MS-CHAP v.2 is essentially NTLM v.1, and since the GP was set
to reject everything but NTLM v.2, authentication failed.
Although I have checked the RFC for MS-CHAP I cannot find any information to
support this comment. Can anyone elaborate on what the tech meant by this?
It still doesn't make any sense to me that the most secure method of
authentication of the three (NTLM v.2) would be incompatible with the most
desirable method of remote user authentication (MS-CHAP v.2).
-Ben
going back and forth with them for quite some time we discovered that the
problem was a GP setting for authentication options (Respond with NTLM v.2
only, reject LM and NTLM). If I backed this policy off to permit any of the
three, it worked.
Although this solved the problem the solution did not make sense to me. The
PPTP VPN clients were configured to use only MS-CHAP v.2 and the GP was set
to only permit the use of NTLM v.2. In my mind at least this should have
worked but obviously it did not. I started to press MS to explain this
behavior.
The support tech said a few things but I could tell he was drawing at straws
a bit so I had him bump it up the ladder and the response we got from one of
the internal AD architecture guys at MS was the subject line above. The
logic being, MS-CHAP v.2 is essentially NTLM v.1, and since the GP was set
to reject everything but NTLM v.2, authentication failed.
Although I have checked the RFC for MS-CHAP I cannot find any information to
support this comment. Can anyone elaborate on what the tech meant by this?
It still doesn't make any sense to me that the most secure method of
authentication of the three (NTLM v.2) would be incompatible with the most
desirable method of remote user authentication (MS-CHAP v.2).
-Ben