WinNT SAM authentication

Michael Bradley ( )
Fri, 27 Mar 1998 12:08:54 -0800

I have a new installation of RadiusNT/Emerald that I am trying to debug.
I want to be able to authentic users via the WinNT SAM and am having
trouble with this. I have talked to tech support and read everything I
can find on the web site/RadiusNT mailing list and am still not able to
get this to work. I'll give as much detail as possible here and hope
that someone can point out what is wrong.

RadiusNT and Emerald are running on a machine running WinNT Server
4.0/SvcPk 3 (this machine is not a primary or backup domain controller).
The Emerald SQL database is located on another WinNT 4.0 server on our
network which is running SQL 6.5. RadiusNT is running in ODBC mode and
for now is running in full debug (-x15) mode.

I have three test users set up in Emerald. These user's login/password
are entered in Emerald as follows: testone/testone; testtwo/WINNT; and
testthree/WINNT\OLY (the name of the NT domain is OLY). User "testtwo"
also has a local account on the WinNT machine running RadiusNT/Emerald
(password: testtwo) and is a member of a local group (created with User
Manager) that has "logon locally" priveleges. User "testthree" is a
domain user in the NT domain OLY (password: testthree) and is a member
of a local group and a global group (both created with User Manager for
Domains) that have "logon locally" priveleges.

Radius can authenticat a login attempt by user "testone" using the
password "testone" just fine and returns this info when it does:
Checking for duplicate logins.

SQL Statement: Select Count(*) from CallsOnline Where
UserName='testone' and Ac

testone found on-line 0 time(s).

SQL Statement: Select ra.RadAttributeID, Name, Data, Value, Type From
s rc, RadAttributes ra Where ra.RadAttributeID=rc.RadAttributeID AND

Loading radius defaults for this type...

SQL Statement: Select ra.RadAttributeID, Name, Data, Value, Type From
igs rc, RadAttributes ra Where ra.RadAttributeID=rc.RadAttributeID AND

User-Service = 2 (2)
Framed-Protocol = 1 (1)
Sending Ack of id 1 to 7f000001 (localhost)
User-Service = Framed-User
Framed-Protocol = PPP

Resp Time: 481 Auth: 2/2 -> 4 Acct: 26/0/0 -> 26
Looks good! Seems the interaction between RadiusNT and the Emerald SQL
database are happening ok?

When trying to log in as user/password testtwo/testtwo however, Radius
doesn't authenticate the user (though it seems to recognize that it is
supposed to be using the NT SAM to do so). Here is the screen output
from RadiusNT:
SQL Statement: Select DateAdd(Day, (ma.extension + ma.overdue),
DateAdd(Day, sa.extension, saExpireDate), sa.AccountID, sa.AccountType,
ord, sa.Login, sa.Shell From MasterAccounts ma, SubAccounts sa Where
'testtwo' or sa.Shell='testtwo') AND ma.CustomerID=sa.CustomerID and
0 and ma.Active<>0

Decrypted Password: testtwo
Database Password: WINNT
(WINNT) User:testtwo Domain: Password:testtwo
Sending Reject of id 1 to 7f000001 (localhost)
LOG: User: testtwo Not found

User: testtwo Not found

SQL Statement: INSERT INTO RadLogs(RadLogMsgID, LogDate, UserName,
S (10, GetDate(), 'testtwo', 'testtwo')

ODBC: SQLExecDirect Error:
[Microsoft][ODBC SQL Server Driver][SQL Server]INSERT statement
conflicted with
COLUMN FOREIGN KEY constraint 'FK__RadLogs__RadLogM__1E1A7EA3'. The
conflict oc
curred in datab

Resp Time: 591 Auth: 1/1 -> 2 Acct: 26/0/0 -> 26
Besides not authenticating the user, there also seems to be some problem
with what Radius is trying to enter into the Emerald RadLogs table. I'd
appreciate info on this problem too.

Basically, the same thing happens when trying to login as user/password
testthree/testthree except that the (WINNT) line also contains the
domain name (i.e.: (WINNT) User:testthree Domain:OLY
Password:testthree). Again, RadiusNT seems to recognize that it is
supposed to be using the SAM for authentication but something's not

I realize there is the option of authentication in text mode but prefer
not to do this as the ODBC capabilities are why we bought this software
in the first place.

Tech support mentioned that I might try installing RadiusNT on a domain
controller but nothing is mentioned in the docs or other info on the web
site about this being necessary and we prefer to keep our domain
controllers free of extra processes.

What have I missed?

Michael Bradley
Computer Support Technician
WSU Energy Program
"Energy Information you can use."