Skip navigation

AD Users can't access VPN services

428 Views 2 Replies Latest reply: Jan 22, 2013 5:01 PM by tschlichter RSS
brianw815 Calculating status...
Currently Being Moderated
Jan 11, 2013 11:34 AM

I have a Mac Mini server running 10.8.2 Mountain Lion (with ML server). The server is joined to our local AD domain.  Users and Groups appear as they should in and the VPN checkbox in available services is checked. However, only locally-created accounts are able to authenticate and use the server's VPN service. A look at the Console shows that MS_CHAP fails when these users try to use VPN from their Macs.


Also, next to some AD users and groups are the phrases "Not allowed" and "Allowed." What exactly does this reference? Is this somehow tied to the VPN issue?

OS X Server
  • mitchmonkey Calculating status...
    Currently Being Moderated
    Jan 16, 2013 8:00 PM (in response to brianw815)

    I have exactly the same problem.

    Local users can access create a VPN connection.  At that point the any user including "local-networked" users can authenticate and see their appropriate files.

    The work around that I can use is to create a "local user" called VPN Access.  Allow the users to access the VPN through this user and then "Connect to Server" under the suer's name.


    Not ideal... but..

  • tschlichter Calculating status...
    Currently Being Moderated
    Jan 22, 2013 5:01 PM (in response to brianw815)

    I also have encountered this problem.  The frustrating thing is that OD users cannot log in either, only local accounts created on the server itself are logging in.  In Lion Server you could import AD or OD users or aka Users from Another Directory, in Mountain LIon Server this doesnt seem to exist anymore.


    However I can answer the second part of your question.  'Not Allowed' or "Allowed' is in reference to the users access to services.  So any user that you have allowed to access the VPN or File Sharing on that server is 'Allowed'.  By default all AD users are 'Not Allowed.  Conversely OD users or 'Local Network Users' have all services turned on by default at the time of their creation.  This access / denial of services are refereed to as SACL's or Service Access Control Lists.


    I am going to play around with this somemore, if I find a solution I'll post it here.


More Like This

  • Retrieving data ...

Bookmarked By (0)


  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.