Use Active Directory to Authenticate to OS X Server VPN

Question

Level 1

10 points

Use Active Directory to Authenticate to OS X Server VPN

I have a Windows 2008r2 Small Business Server that I use primarily but, I have to integrate with services on my Mac Mini OS X Server.

First off, I have all updates loaded and everything runs great between both servers. My OS X server does not have Open Directory running; only services such as FTP, VPN, and File Sharing. I have joined the server to Active Directory and can log into the server as a Active Directory user. I have assigned the rights to even log on with my AD credentials to that server and be an admin. I know that everything is working fine between the 2 servers and I am pretty happy with the way it is working.

My challenge deals with authenticating to these services; specifically VPN, on the OS X server with Active Directory credentials.

When I open the server app, I go to the users section and then, I cahnge it from "local users" to "Users from 'domain.'"

Next, I select the account that I am trying to allow access to the VPN services and select it in the check mark area.

I try to log into the VPN and continually get an authentication error.

I have tried the following combinations for the login:

domain\user.name

domain.local\user.name

user.name

user.name@domain

user.name@domain.local

None of these authentication attempts are successful.

I have successfully authenticated with a local user account that I created on the OS X server and it works flawlessly.

Has anyone ever attempted this? Has anyone ever had any success with this? I have been spinning my tires on this for 3 weeks and have finally given up and have to ask for help.

I appreciate anyone's feedback.

mini os x server, Mac OS X (10.6.6), mac mini server

Posted on Jul 16, 2013 6:50 PM

Reply

Answer 1

matneyc Author

Level 1

10 points

Jul 16, 2013 7:04 PM in response to matneyc

Here are the logs from the VPN:

2013-07-16 21:34:27 EDT

Incoming call... Address given to client = 10.1.1.239

Tue Jul 16 21:34:28 2013 : Directory Services Authentication plugin initialized

Tue Jul 16 21:34:28 2013 : Directory Services Authorization plugin initialized

Tue Jul 16 21:34:28 2013 : L2TP incoming call in progress from '10.1.1.109'...

Tue Jul 16 21:34:28 2013 : L2TP received SCCRQ

Tue Jul 16 21:34:28 2013 : L2TP sent SCCRP

Tue Jul 16 21:34:28 2013 : L2TP received SCCCN

Tue Jul 16 21:34:28 2013 : L2TP received ICRQ

Tue Jul 16 21:34:28 2013 : L2TP sent ICRP

Tue Jul 16 21:34:28 2013 : L2TP received ICCN

Tue Jul 16 21:34:28 2013 : L2TP connection established.

Tue Jul 16 21:34:28 2013 : using link 0

Tue Jul 16 21:34:28 2013 : Using interface ppp0

Tue Jul 16 21:34:28 2013 : Connect: ppp0 <--> socket[34:18]

Tue Jul 16 21:34:28 2013 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5cfaeea3> <pcomp> <accomp>]

Tue Jul 16 21:34:28 2013 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x3bc2c206> <pcomp> <accomp>]

Tue Jul 16 21:34:28 2013 : lcp_reqci: returning CONFACK.

Tue Jul 16 21:34:28 2013 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x3bc2c206> <pcomp> <accomp>]

Tue Jul 16 21:34:28 2013 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5cfaeea3> <pcomp> <accomp>]

Tue Jul 16 21:34:28 2013 : sent [LCP EchoReq id=0x0 magic=0x5cfaeea3]

Tue Jul 16 21:34:28 2013 : sent [CHAP Challenge id=0x13 <383c1e31771b0a01792e0641000f276d>, name = "server1.domain.com"]

Tue Jul 16 21:34:28 2013 : rcvd [LCP EchoReq id=0x0 magic=0x3bc2c206]

Tue Jul 16 21:34:28 2013 : sent [LCP EchoRep id=0x0 magic=0x5cfaeea3]

Tue Jul 16 21:34:28 2013 : rcvd [LCP EchoRep id=0x0 magic=0x3bc2c206]

Tue Jul 16 21:34:28 2013 : rcvd [CHAP Response id=0x13 <a0e50b12fa32987f381f6da91f750be60000000000000000bc6d3cd3dc4b5da3b4b624538742f5 e42b8442e12c80124400>, name = "domain.local\\\\user.name"]

Tue Jul 16 21:34:28 2013 : sent [CHAP Failure id=0x13 ""]

Tue Jul 16 21:34:28 2013 : CHAP peer authentication failed for domain.local\\\\user.name

Tue Jul 16 21:34:28 2013 : sent [LCP TermReq id=0x2 "Authentication failed"]

Tue Jul 16 21:34:28 2013 : Connection terminated.

Tue Jul 16 21:34:28 2013 : L2TP disconnecting...

Tue Jul 16 21:34:28 2013 : L2TP sent CDN

Tue Jul 16 21:34:28 2013 : L2TP sent StopCCN

Tue Jul 16 21:34:28 2013 : L2TP disconnected

2013-07-16 21:34:28 EDT

--> Client with address = 10.1.1.239 has hungup

Reply

Answer 2

matneyc Author

Level 1

10 points

Jul 16, 2013 7:43 PM in response to matneyc

Here is a properly connected client

2013-07-16 22:37:27 EDT Incoming call... Address given to client = 10.1.1.231

Tue Jul 16 22:37:27 2013 : Directory Services Authentication plugin initialized

Tue Jul 16 22:37:27 2013 : Directory Services Authorization plugin initialized

Tue Jul 16 22:37:27 2013 : L2TP incoming call in progress from '10.1.1.109'...

Tue Jul 16 22:37:27 2013 : L2TP received SCCRQ

Tue Jul 16 22:37:27 2013 : L2TP sent SCCRP

Tue Jul 16 22:37:27 2013 : L2TP received SCCCN

Tue Jul 16 22:37:27 2013 : L2TP received ICRQ

Tue Jul 16 22:37:27 2013 : L2TP sent ICRP

Tue Jul 16 22:37:27 2013 : L2TP received ICCN

Tue Jul 16 22:37:27 2013 : L2TP connection established.

Tue Jul 16 22:37:27 2013 : using link 0

Tue Jul 16 22:37:27 2013 : Using interface ppp0

Tue Jul 16 22:37:27 2013 : Connect: ppp0 <--> socket[34:18]

Tue Jul 16 22:37:27 2013 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x51bcd2b8> <pcomp> <accomp>]

Tue Jul 16 22:37:27 2013 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x2a2e6968> <pcomp> <accomp>]

Tue Jul 16 22:37:27 2013 : lcp_reqci: returning CONFACK.

Tue Jul 16 22:37:27 2013 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x2a2e6968> <pcomp> <accomp>]

Tue Jul 16 22:37:27 2013 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x51bcd2b8> <pcomp> <accomp>]

Tue Jul 16 22:37:27 2013 : sent [LCP EchoReq id=0x0 magic=0x51bcd2b8]

Tue Jul 16 22:37:27 2013 : sent [CHAP Challenge id=0x99 <25530231620a2a32144123670735585d>, name = "server1.domain.com"]

Tue Jul 16 22:37:27 2013 : rcvd [LCP EchoReq id=0x0 magic=0x2a2e6968]

Tue Jul 16 22:37:27 2013 : sent [LCP EchoRep id=0x0 magic=0x51bcd2b8]

Tue Jul 16 22:37:27 2013 : rcvd [LCP EchoRep id=0x0 magic=0x2a2e6968]

Tue Jul 16 22:37:27 2013 : rcvd [CHAP Response id=0x99 <e05bcc591f50471f1db5dc92e30eda800000000000000000799cfb93fa3a0b70d15a018b1b1db9 9877e05463f540e54400>, name = "localusername"]

Tue Jul 16 22:37:27 2013 : sent [CHAP Success id=0x99 "S=D079042B80380C3806A1EAE231CAE53074ED1F88 M=Access granted"]

Tue Jul 16 22:37:27 2013 : CHAP peer authentication succeeded for localusername

Tue Jul 16 22:37:27 2013 : DSAccessControl plugin: User 'localusername' authorized for access

Tue Jul 16 22:37:27 2013 : sent [IPCP ConfReq id=0x1 <addr 10.1.1.3>]

Tue Jul 16 22:37:27 2013 : sent [ACSCP ConfReq id=0x1]

Tue Jul 16 22:37:27 2013 : rcvd [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns3 0.0.0.0>]

Tue Jul 16 22:37:27 2013 : ipcp: returning Configure-NAK

Tue Jul 16 22:37:27 2013 : sent [IPCP ConfNak id=0x1 <addr 10.1.1.231> <ms-dns1 10.1.1.2> <ms-dns3 10.1.1.2>]

Tue Jul 16 22:37:27 2013 : rcvd [IPV6CP ConfReq id=0x1 <addr fe80::426c:8fff:fe0c:4d37>]

Tue Jul 16 22:37:27 2013 : Unsupported protocol 0x8057 received

Tue Jul 16 22:37:27 2013 : sent [LCP ProtRej id=0x2 80 57 01 01 00 0e 01 0a 42 6c 8f ff fe 0c 4d 37]

Tue Jul 16 22:37:27 2013 : rcvd [ACSCP ConfReq id=0x1 <route vers 16777216> <domain vers 16777216>]

Tue Jul 16 22:37:27 2013 : sent [ACSCP ConfAck id=0x1 <route vers 16777216> <domain vers 16777216>]

Tue Jul 16 22:37:27 2013 : rcvd [IPCP ConfAck id=0x1 <addr 10.1.1.3>]

Tue Jul 16 22:37:27 2013 : rcvd [ACSCP ConfAck id=0x1]

Tue Jul 16 22:37:27 2013 : sent [ACSP data <payload len 15, packet seq 0, CI_DOMAINS, flags: START END REQUIRE-ACK>

<domain: name mtg.local>]

Tue Jul 16 22:37:27 2013 : sent [ACSP data <payload len 12, packet seq 0, CI_ROUTES, flags: START END REQUIRE-ACK>

<route: address 10.1.1.1, mask 255.255.255.0, flags: PUBLIC>]

Tue Jul 16 22:37:27 2013 : rcvd [IPCP ConfReq id=0x2 <addr 10.1.1.231> <ms-dns1 10.1.1.2> <ms-dns3 10.1.1.2>]

Tue Jul 16 22:37:27 2013 : ipcp: returning Configure-ACK

Tue Jul 16 22:37:27 2013 : sent [IPCP ConfAck id=0x2 <addr 10.1.1.231> <ms-dns1 10.1.1.2> <ms-dns3 10.1.1.2>]

Tue Jul 16 22:37:27 2013 : ipcp: up

Tue Jul 16 22:37:27 2013 : found interface en0 for proxy arp

Tue Jul 16 22:37:27 2013 : local IP address 10.1.1.3

Tue Jul 16 22:37:27 2013 : remote IP address 10.1.1.231

Tue Jul 16 22:37:27 2013 : l2tp_wait_input: Address added. previous interface setting (name: en0, address: 10.1.1.3), current interface setting (name: ppp0, family: PPP, address: 10.1.1.3, subnet: 255.255.255.0, destination: 10.1.1.231).

Tue Jul 16 22:37:27 2013 : rcvd [ACSP data <payload len 0, packet seq 0, CI_DOMAINS, flags: ACK>]

Tue Jul 16 22:37:27 2013 : rcvd [ACSP data <payload len 0, packet seq 0, CI_ROUTES, flags: ACK>]

Reply

Answer 3

Jul 17, 2013 3:08 AM in response to matneyc

If you are using a domain name of .local for your Active Directory this is considered a very bad thing since it conflicts with Bonjour on Macs.

Since you are running a Windows server is there any reason why you don't also use it or another Windows server as your VPN server?

It does not look like your problem but for your information while Snow Leopard Server accepted VPN logins using a users fullname or shortname, Lion and Mountain Lion (Server.app) only accept the shortname.

Reply

Answer 4

Jul 17, 2013 3:19 AM in response to matneyc

Test for a username without a '.' in. Dots have a special significance in addresses.

Test for the full account name. In other words if you made an account called 'Fred Addams' with a username of 'fred.addams', try putting in the username 'Fred Addams' with those capitals and space.

Reply

Answer 5

matneyc Author

Level 1

10 points

Jul 17, 2013 9:51 AM in response to John Lockwood

Hi John Lockwood - i am not using a M$ VPN solution simply for security reasons. I know that they have supposedly made changes and things are more and more secure but, I was bitten by 2 attacks with a client about 10 years ago and do not want to have to deal with the risk again. I am sure that down the line, I am to blame for something that may have allowed that to go badly but, I have had a lot of success using the OS X Server VPN applicatoin.

I did not know that Bonjour conflicted with the .local so, that is going to be a long term issue since that is how all of the clients that I support are configured. I will try to see if any other solutions get me in but, I have to leave the domain named as it is.

On your comment about short name, I am dealing with Active Directory accounts so, I am not sure that applies. I am able to use an account that I created on the server to authenticate so, the OS X piece is working fine. I am now trying to allow my AD users to use the same thing to get in and not have to create another account and passowrd for them.

Than you for your suggestions and thoughts on this.

Dan

Reply

Answer 6

Oct 31, 2013 1:50 PM in response to matneyc

I am trying to do the same thing.
I suspect it may have something to do with authentication methods.

Seems that the VPN uses CHAP, whereas our AD wants DIGEST.

Reply

Answer 7

Dec 18, 2013 5:38 PM in response to matneyc

I have called Apple and verified that this is a bug in the software. To be clear, the server app - VPN will not authenticate with any active directory entries. It only looks inside of open directory user entries (not local users or even open directory groups). The tech said it is a known issue. He was unsure if it is likely to be fixed anytime soon.

Anyone else know of a work around?

Reply

Answer 8

Mar 30, 2014 9:11 AM in response to paradoxgrowth

There has been a whole slew of updates to OS X Server but this issue is still outstanding. Anyone find a work around? All my AD users are from a windows AD master and their passwords are all of type "Crypt" with no way to change that.

My understanding is that the VPN daemon is supposed to look at the AD user name, then take the password, hash it and then ask the AD master to athenticate the has and tell the VPN daemon that the password is valid or not. But this CHAP authentication seems to be broken?

Any advice as to how to get my AD users access to VPN services would be helpful.

Reply