RE: FW: NT SAM authentication

Morris, Scott A. ( (no email) )
Tue, 31 Mar 1998 23:10:49 -0500

Doesn't this just require 'Log On Locally' on the machine that is running

If that is the case, create a group. Give the group the required privs and
put users into the group as needed.

Granted the Account Admin group has the required privs and then some, but
dial up users do not need to be Account Admin. This is a security risk.

-----Original Message-----
From: NORO Hideo []
Sent: Tuesday, March 31, 1998 9:32 PM
Subject: Re: FW: NT SAM authentication


In Message-ID: <>
Michael Bradley <> wrote :

> Thanks to Mr. Hideo for the advice, however making my test users
> members
> of the local Account Operators and/or Administrators groups did not
> solve my problem. I'm getting the exact same results I described in
> my
> earlier post. Any other ideas out there? Are people who are
> successfully authenticating via the NT SAM running RadiusNT on servers
> that are domain controllers? I am willing to start over on my
> RadiusNT
> server and make it a backup domain controller if that will get me NT
> athentication, but I'd like to hear from experienced users (or Dale?)
> that this will work (or at least is likely to) before I go to the
> trouble.

Let me tell my situation;

RadiusNT is running on WindowsNT 4.0 Server (SP3).
The machine is the primary domain controler.
ISDN Dialup router box is a radius client(NAS).

RadiusNT is running in "Text Files" mode.

"users" file contains DEFAULT user entry whose password is "WINNT\DOMAIN".

And user "foo" exists in an NT domain "DOMAIN".
User "foo" is a member of "Domain Users" group.

In this situation, I first try to authenticate user "foo", but failed.
So I added "foo" in the "Account Operators" group, then succeeded.

> Also, how can I tell if RadiuNT is even talking to the SAM at all? I
> tried logging in via Radius as one of my test users using a bogus
> password several
> times on the hunch that NT would then disable the user account (as it
> does after multiple failed login attempts of a standard NT user) but
> found that the account was not disabled by NT--leading me to conclude
> that the SAM is not receiving authentication requests from RadiusNT at
> all. Is this a valid conclusion based on this experiment? Is there
> something I need to do in RadiuNT Administrator or the ODBC control
> panel on my Radius server machine to tell it specifically to talk to
> the
> SAM?

To check authentication process, you can run RadiusNT with "-x15" option.
And "radlogin.exe" would be helpful.

To use radlogin.exe, you have to register radius/udp service in
C:\winnt\system32\drivers\etc\services, and setup "servers" file in
the RadiusNT data directory.

I hope this would be helpful.

Good Day!

NORO Hideo

RadiusNT Mailing List