Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: dzilla
dzilla Author
User level: Level 1
0 points

Lion Server 10.7.4 VPN service not using my Active Directory domain for authentication

I have Lion Server 10.7.4 setup on a Mac Mini and I have enabled the VPN service for both L2TP and PPTP. The Mac Mini is joined to my Windows Domain at a functional level of Server 2008 R2. I have set the authentication paths to point to my domain in Directory Utility.


What I would like to have happen is for my laptop to be able to VPN into my office network remotely using domain credentials and not local account credentials on the Mac Mini itself. This is a process I have done numerous times on Windows boxes, but for some reason the only way I can get the VPN to work on this instance of Lion Server 10.7.4 is by authenticating using local accounts only.


Does Lion Server 10.7.4 only authenticate VPN users based on it's local account schema? Or can it truly authenticate against an active directory domain?


Any suggestions or help is greatly appreciated. Thanks,

Posted on May 21, 2012 3:26 PM

Reply
13 replies
User profile for user: g_pirtle
g_pirtle
User level: Level 1
45 points

May 25, 2012 7:14 AM in response to dzilla

Download Server Tools for 10.7.4 if you havent already done so. Open the Server Admin tool and click the Access icon. You can use the access tab to add Active Directory users to the list of allowed users for certain services including VPN access. Click the radio button for For Selected Services below, select VPN, click the radio button for Allow only users and groups below, click the + to add Active Directory users.


I still do not have them authenticaing properly, but this does "allow" them.

Reply
User profile for user: dzilla
dzilla Author
User level: Level 1
0 points

May 25, 2012 8:44 AM in response to g_pirtle

Hi g-pirtle,


Yes, I had already done that a few days ago. I was able to add the desired AD group to the allowed users/groups for the VPN service. Thats exactly what is so weird about this...it allows me to search for and add an AD user or group to the list of allowed users/groups, but then when I actually try to use a domain account to authenticate to the VPN is just gives me the "cannot authenticate" error. Very strange.


I wondered if for some reason Apple is only allowing local accounts to be authenticated against. Sounds crazy, but I cannot for the life of me get this to work. I also wondered if Kerberizing the server would help, but when I go to join a Kerberos realm in Open Directory inside of Server Admin, it just has no realm listed in the drop down menu.


Other than that, all other aspects of the Mac Mini being joined to the AD domain seems to be good. I'm really stumped here...


Thanks again,

Reply
User profile for user: dzilla
dzilla Author
User level: Level 1
0 points

May 25, 2012 12:26 PM in response to g_pirtle

Wow, that is weird..and confusing like you said. I have seen other devices restrict certain services to local accounts in the past. One of them was a Snap Server running GuardianOS (linux based). It integrated fine with AD, but for some reason they limited FTP to only authenticate using local accounts and not domain accounts. Why on earth would apple limit the L2TP? It seems like PPTP would be more likely to be restricted like that, since it's older and less secure.


Guess we have no other options really but to wait for the next software update and hope for a fix. If you find anything else out, let me know. Thanks a ton g_pirtle.

Reply
User profile for user: g_pirtle
g_pirtle
User level: Level 1
45 points

May 29, 2012 4:03 PM in response to dzilla

I used plist editor in Xcode tools to view the com.apple.RemoteAccessServer.plist and I tinkered a little. I still did not get anything working (nothing looked promising, so I wasnt expecting it to).


Authentication is still failing. I tried setting up NPS on the Server 2008 R2 domain controller, but it didnt do much good either.


I did verify it is using MS-CHAPv2

Reply
User profile for user: dzilla
dzilla Author
User level: Level 1
0 points

May 29, 2012 4:13 PM in response to g_pirtle

Hmm. So strange. I ended up just using a little dual core Atom mini-ITX board in a barebones case with Server 2008 R2 for the VPN in place of the Mac Mini. I REALLY wish they would have made the AD integration tighter with Lion.


I was actually thinking of implementing NPS as well prior to switching but looks like it wouldn't have got me anywhere really.


I'll just use the Mac Mini for all of the other features and not VPN. Have you played around with the Profile Manager for provisioning iPhones and iPads?

Reply
User profile for user: g_pirtle
g_pirtle
User level: Level 1
45 points

May 29, 2012 5:16 PM in response to dzilla

I havent gotten that far yet. I'm working on getting some core features working before moving on to the fun stuff. I looked through it in the Server app, but havent dug too deep yet.


I'm a Windows domain administrator (25 datacenter servers, 72 branch office servers, and 650 workstations) and my Mac OS X projects are side projects.

Reply
User profile for user: rkovelman
rkovelman
User level: Level 2
320 points

May 29, 2012 7:36 PM in response to dzilla

I have been playing with the VPN service for some time today and lets just say 10.6 and 10.7 VPN and OD do not play nice together. It seems like there needs to be an account in the directory for the VPN "master user". If this does not exist then PPTP does not work. L2TP seems to work with network accounts although the Apple documentation is limited to say the least. I have also seen where the configuration of either service needs to be done through terminal. What I also gathered was the VPN service needs to be run on a 10.7 server that is either master OD or a replica that also has 10.7.


It also seems that from 10.7.2 to 10.7.4 much has changed in the way of the VPN service and configuration. I am not a happy camper with this! Hopefully this helps you a bit?

Reply

Lion Server 10.7.4 VPN service not using my Active Directory domain for authentication

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up