Re: FW: NT SAM authentication

NORO Hideo ( norop@xpc.canon.co.jp )
Wed, 01 Apr 1998 11:32:12 +0900

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Previous message: Dale E. Reed Jr.: "Re: Radius 2.2.41 45 day trial"
Next message: Shakir Vohra: "Re: RadiusNT does'nt send password retry window on client computer"

Hello,

In Message-ID: <32BFA4EACB99D1119D110020AFD209CE040448@ems02.energy.wsu.edu>
Michael Bradley <BradleyM@energy.wsu.edu> wrote :

> Thanks to Mr. Hideo for the advice, however making my test users
> members
> of the local Account Operators and/or Administrators groups did not
> solve my problem. I'm getting the exact same results I described in
> my
> earlier post. Any other ideas out there? Are people who are
> successfully authenticating via the NT SAM running RadiusNT on servers
> that are domain controllers? I am willing to start over on my
> RadiusNT
> server and make it a backup domain controller if that will get me NT
> SAM
> athentication, but I'd like to hear from experienced users (or Dale?)
> that this will work (or at least is likely to) before I go to the
> trouble.

Let me tell my situation;

RadiusNT is running on WindowsNT 4.0 Server (SP3).
The machine is the primary domain controler.
ISDN Dialup router box is a radius client(NAS).

RadiusNT is running in "Text Files" mode.

"users" file contains DEFAULT user entry whose password is "WINNT\DOMAIN".

And user "foo" exists in an NT domain "DOMAIN".
User "foo" is a member of "Domain Users" group.

In this situation, I first try to authenticate user "foo", but failed.
So I added "foo" in the "Account Operators" group, then succeeded.

> Also, how can I tell if RadiuNT is even talking to the SAM at all? I
> tried logging in via Radius as one of my test users using a bogus
> password several
> times on the hunch that NT would then disable the user account (as it
> does after multiple failed login attempts of a standard NT user) but
> found that the account was not disabled by NT--leading me to conclude
> that the SAM is not receiving authentication requests from RadiusNT at
> all. Is this a valid conclusion based on this experiment? Is there
> something I need to do in RadiuNT Administrator or the ODBC control
> panel on my Radius server machine to tell it specifically to talk to
> the
> SAM?

To check authentication process, you can run RadiusNT with "-x15" option.
And "radlogin.exe" would be helpful.

To use radlogin.exe, you have to register radius/udp service in
C:\winnt\system32\drivers\etc\services, and setup "servers" file in
the RadiusNT data directory.

I hope this would be helpful.

Good Day!

NORO Hideo
norop@xpc.canon.co.jp

Previous message: Dale E. Reed Jr.: "Re: Radius 2.2.41 45 day trial"
Next message: Shakir Vohra: "Re: RadiusNT does'nt send password retry window on client computer"