CE Authenticating with NTLM on Windows 2003 Server

paulomv · ‎02-21-2005

Hi all,

I have a CE-510 running ACNS Version 5.2.3 and I'm having difficulties on authenticating http requests from users via NTLM using group access-lists on a Windows 2003 Server Active Directory.

If I have access-lists disabled, I can authenticate with success the users that are trying to access web sites.

When I turn the access-lists on, even having a single ACL telling to permit any groupname, the authentication is refused by the CE because he couldn't retrieve the group memberships from the server despite having the user authenticated before.

Here is the part of the syslog where I get the error:

http_authmod: authenticate_request(0): user - administrator, password = ****

http_authmod: http_authmod.c:1860:

http_authmod: authenticate_request(0): ntlm server is enabled user: administrator

http_authmod: http_authmod.c:552:

http_authmod: get_domain_username(): domain = (null), user = administrator

http_authmod: http_authmod.c:2704:

http_authmod: Acquring the next server

http_authmod: http_authmod.c:2774:

http_authmod: get_ntlm_server() Got an alive ntlm server wpt15.lab.nowhere.com addr 192.168.1.1

http_authmod: http_authmod.c:617:

http_authmod: open_smb: connect to DC using domain: lab

http_authmod: valid.c:49:

http_authmod: Try to connect to server wpt15.lab.nowhere.com, addr = 192.168.1.1, timeout =5, retry_cnt = 2

http_authmod: valid.c:99:

http_authmod: now calling SMB_Negotiate...

http_authmod: valid.c:118:

http_authmod: Negotiated SMB Protocol "NT LM 0.12" with Domain Controller "wpt15.lab.nowhere.com" for domain "lab"

http_authmod: http_authmod.c:552:

http_authmod: get_domain_username(): domain = (null), user = administrator

http_authmod: http_authmod.c:768:

http_authmod: query_smb: Default domain configured : "lab"

http_authmod: http_authmod.c:771:

http_authmod: query_smb: call NTLM_auth with domain: "lab" Domain list enable: 0

http_authmod: valid.c:181:

http_authmod: SMB Logon for user administrator domain lab (service \\wpt15\IPC$)

http_authmod: valid.c:203:

http_authmod: SMB Logon for user administrator successful (status 0)

http_authmod: valid.c:209:

http_authmod: Group Membership lookup for user administrator failed - return code 2, status 1

http_authmod: valid.c:230:

http_authmod: Disconnect

http_authmod: http_authmod.c:848:

http_authmod: Failed to authenticate user administrator using SMB due to Invalid Password

http_authmod: %CE-AUTHMOD-3-540047: ***NTLM: query_smb: Invalid Password; Samba failed to authenticate user administrator domain lab

Before the group membership retrieval, the user is already authenticated but when the CE tries to get the groups it fails.

Do anyone have a running installation with this? I have already installed using Windows 2000 Server AD and didn't have this problem.

Thanks in advance

Paulo Vasconcelos

seilsz · ‎02-24-2005

Paulo,

ACNS uses NTLM version 1, while Windows 2003 defaults to using NTLM version 2. If your ACNS configuration works under Win2k, I suspect this may be your issue.

You will need to configure your server to access/respond to NTLMv1 requests.

~Zach

paulomv · ‎02-24-2005

Hi Zach,

I thought about that too and configured the Windows 2003 Server under the Security Policy to accept LM & NTLM requests (There is an option to accept only NTLM v2 requests).

Previous to my test this feature was disabled so I don't have an idea which is default.

After changing this to accespt LM & NTLM requests so it would acvept NTLM v1 the result is the same unfortunately.

I change this feature under Local Security Policy and Security Policy. Is there any other place I have to configure in the server?

seilsz · ‎02-24-2005

Ok ...

I'm not sure about the server configuration part. Is the 2003 server the same server you had Win2k working on, just upgraded?

From ther debug, it almost seems like the 'administrator' account doesn't belong to any groups. Can you confirm that?

Can you capture a sniffer trace of the failed authentication request?

~Zach

paulomv · ‎02-25-2005

Hi Zack,

this server is a fresh install we made at the lab. The client also has a fresh install of Windows 2003 Server and a working Active Directory. They had a 2K Domain Controller before but they didn't have the CE to test.

Where I was able to make NTLM working was at another client who had a Windows 2K box as Domain Controller.

About the Administrator not belonging to any group that's what it makes you think but that's false. The administrator user, above all, comes, at least, member of one group.

I checked and Administrator belongs to Administrators, Domain Users and others.

With my access-list as permit any, It must only to belong to any group and that is true.

The problem must be in the Active Directory letting you pull the group list.

The client reported to me that they have an application that works with LDAP that used to be able to pull the group list on the previous 2K box, but in this one he is unable.

I'll capture some traffic and update this thread.

Thanks,

Paulo

paulomv · ‎03-01-2005

Just finished the packet trace.

I have it in attachment.

what I can read of that is when the CE sends the NetUserGetGroups request to the Active Directory, he gets an access denied from the Active Directory Server.

That means that the problem must be in the Server. Some kind of parameter I have to set.

In the internet I searched on that and found out that the NetUserGetGroups do not support nested groups.

Can this be the reason? If so, do you have any idea how to handle this?

Thanks

Zach Seils · ‎03-01-2005

Hi Paulo,

Thanks for the trace -- very helpful.

This looks like a problem with SMB Signing on the 2003 server, which is not yet supported by ACNS. An enhancement request has already been filed -- see bug id CSCeg13139.

In the mean time, the only work around for Windows 2003 is to disable SMB Signing. You can find more information here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;887429

~Zach

paulomv · ‎03-07-2005

Hi Zach,

Solved the problem!

Thank You very much.

Paulo Vasconcelos