13 Replies Latest reply: May 29, 2012 7:36 PM by rkovelman
dzilla Level 1 Level 1

I have Lion Server 10.7.4 setup on a Mac Mini and I have enabled the VPN service for both L2TP and PPTP. The Mac Mini is joined to my Windows Domain at a functional level of Server 2008 R2. I have set the authentication paths to point to my domain in Directory Utility.

 

What I would like to have happen is for my laptop to be able to VPN into my office network remotely using domain credentials and not local account credentials on the Mac Mini itself. This is a process I have done numerous times on Windows boxes, but for some reason the only way I can get the VPN to work on this instance of Lion Server 10.7.4 is by authenticating using local accounts only.

 

Does Lion Server 10.7.4 only authenticate VPN users based on it's local account schema? Or can it truly authenticate against an active directory domain?

 

Any suggestions or help is greatly appreciated. Thanks,

  • g_pirtle Level 1 Level 1

    Download Server Tools for 10.7.4 if you havent already done so. Open the Server Admin tool and click the Access icon. You can use the access tab to add Active Directory users to the list of allowed users for certain services including VPN access. Click the radio button for For Selected Services below, select VPN, click the radio button for Allow only users and groups below, click the + to add Active Directory users.

     

    I still do not have them authenticaing properly, but this does "allow" them.

  • dzilla Level 1 Level 1

    Hi g-pirtle,

     

    Yes, I had already done that a few days ago. I was able to add the desired AD group to the allowed users/groups for the VPN service. Thats exactly what is so weird about this...it allows me to search for and add an AD user or group to the list of allowed users/groups, but then when I actually try to use a domain account to authenticate to the VPN is just gives me the "cannot authenticate" error. Very strange.

     

    I wondered if for some reason Apple is only allowing local accounts to be authenticated against. Sounds crazy, but I cannot for the life of me get this to work. I also wondered if Kerberizing the server would help, but when I go to join a Kerberos realm in Open Directory inside of Server Admin, it just has no realm listed in the drop down menu.

     

    Other than that, all other aspects of the Mac Mini being joined to the AD domain seems to be good. I'm really stumped here...

     

    Thanks again,

  • g_pirtle Level 1 Level 1

    So basically we are at the same place. I have tried Kerberizing services and some other tricks, but nothing is working. Log states CHAP authentication error for all AD accounts.

     

    All other AD authentication is working except for VPN usage

  • g_pirtle Level 1 Level 1

    http://support.apple.com/kb/HT4748?viewlocale=en_US&locale=en_US

     

    -Bullet Point #3-

    PPTP can only be used if you are managing network users or users connected to a directory server. Local user accounts can only be used with L2TP.

  • g_pirtle Level 1 Level 1

    The way that is worded is very confusing. LT2P isnt limited to local user accounts, local user accounts can only be used with L2TP

  • dzilla Level 1 Level 1

    Wow, that is weird..and confusing like you said. I have seen other devices restrict certain services to local accounts in the past. One of them was a Snap Server running GuardianOS (linux based). It integrated fine with AD, but for some reason they limited FTP to only authenticate using local accounts and not domain accounts. Why on earth would apple limit the L2TP? It seems like PPTP would be more likely to be restricted like that, since it's older and less secure.

     

    Guess we have no other options really but to wait for the next software update and hope for a fix. If you find anything else out, let me know. Thanks a ton g_pirtle.

  • g_pirtle Level 1 Level 1

    System log shows CHAP authentication failed and this authentication method is not supported by Active Directory. Is there anyway to enable MS-CHAP? Maybe editing a config file or plist...

     

    Nevermind, the info sheet for Lion Server VPN says it uses MS-CHAP. Any idea if CHAP and MS-CHAP are the same?

  • g_pirtle Level 1 Level 1

    I used plist editor in Xcode tools to view the com.apple.RemoteAccessServer.plist and I tinkered a little. I still did not get anything working (nothing looked promising, so I wasnt expecting it to).

     

    Authentication is still failing. I tried setting up NPS on the Server 2008 R2 domain controller, but it didnt do much good either.

     

    I did verify it is using MS-CHAPv2

  • dzilla Level 1 Level 1

    Hmm. So strange. I ended up just using a little dual core Atom mini-ITX board in a barebones case with Server 2008 R2 for the VPN in place of the Mac Mini. I REALLY wish they would have made the AD integration tighter with Lion.

     

    I was actually thinking of implementing NPS as well prior to switching but looks like it wouldn't have got me anywhere really.

     

    I'll just use the Mac Mini for all of the other features and not VPN. Have you played around with the Profile Manager for provisioning iPhones and iPads?

  • g_pirtle Level 1 Level 1

    I havent gotten that far yet. I'm working on getting some core features working before moving on to the fun stuff. I looked through it in the Server app, but havent dug too deep yet.

     

    I'm a Windows domain administrator (25 datacenter servers, 72 branch office servers, and 650 workstations) and my Mac OS X projects are side projects.

  • dzilla Level 1 Level 1

    Cool, me too. 42 Servers, 260 workstations. Let's keep posting here if we find anything else out.

  • g_pirtle Level 1 Level 1

    Check my profile for my email address if you want to contact me about other issues or non-Apple issues.

  • rkovelman Level 2 Level 2

    I have been playing with the VPN service for some time today and lets just say 10.6 and 10.7 VPN and OD do not play nice together.  It seems like there needs to be an account in the directory for the VPN "master user".  If this does not exist then PPTP does not work.  L2TP seems to work with network accounts although the Apple documentation is limited to say the least.  I have also seen where the configuration of either service needs to be done through terminal.  What I also gathered was the VPN service needs to be run on a 10.7 server that is either master OD or a replica that also has 10.7. 

     

    It also seems that from 10.7.2 to 10.7.4 much has changed in the way of the VPN service and configuration.  I am not a happy camper with this!  Hopefully this helps you a bit?