LDAP Query Question

Tutorials Win: Microsoft Windows Forum

This question is in reguards to how AD responds to an LDAP Authentication
Request coming from a non-Microsoft RADIUS server.

What I need to know is if AD returns the password from a LDAP authentication
request in MS_CHAP_v2 format or is it in Clear Text ?

We are trying to configure several devices for a secure wireless signon.

On the client side is a Windows XP Pro SP2 laptop using the Windows Zero
Config service.
802.1x authentication WPA/TKIP and EAP-PEAP/MS_CHAP_V2 manually sign-on

RADIUS server (Juniper SBR 6.0.1) acceptes the requests without a problem.
But when it tryies to authenticate the MS_CHAP it fails everytime. So I'm
wondering is what is AD sending back to RADIUS.
Any help would be great.

Thank you
Top

Re: LDAP Query Question by Richard

Richard
Thu Mar 13 09:44:06 PDT 2008

Chris wrote:

> This question is in reguards to how AD responds to an LDAP Authentication
> Request coming from a non-Microsoft RADIUS server.
>
> What I need to know is if AD returns the password from a LDAP
> authentication request in MS_CHAP_v2 format or is it in Clear Text ?
>
> We are trying to configure several devices for a secure wireless signon.
>
> On the client side is a Windows XP Pro SP2 laptop using the Windows Zero
> Config service.
> 802.1x authentication WPA/TKIP and EAP-PEAP/MS_CHAP_V2 manually sign-on
>
> RADIUS server (Juniper SBR 6.0.1) acceptes the requests without a problem.
> But when it tryies to authenticate the MS_CHAP it fails everytime. So I'm
> wondering is what is AD sending back to RADIUS.
> Any help would be great.

AD does not save or know the password, only the hash value. In fact, the
password is never sent over the network from the client. If someone monitors
the network, they see only the hash.

I forget the details, but the DC may return a salt value to the client
required to generate the hash.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


Top

Re: LDAP Query Question by Chris

Chris
Thu Mar 13 10:15:33 PDT 2008

Ok

So how does this relate to MS_CHAPv2 ? Is MS_CHAPv2 the same as NTLM2 ?


"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:uxnY6lShIHA.5468@TK2MSFTNGP03.phx.gbl...
> Chris wrote:
>
>> This question is in reguards to how AD responds to an LDAP Authentication
>> Request coming from a non-Microsoft RADIUS server.
>>
>> What I need to know is if AD returns the password from a LDAP
>> authentication request in MS_CHAP_v2 format or is it in Clear Text ?
>>
>> We are trying to configure several devices for a secure wireless signon.
>>
>> On the client side is a Windows XP Pro SP2 laptop using the Windows Zero
>> Config service.
>> 802.1x authentication WPA/TKIP and EAP-PEAP/MS_CHAP_V2 manually sign-on
>>
>> RADIUS server (Juniper SBR 6.0.1) acceptes the requests without a
>> problem. But when it tryies to authenticate the MS_CHAP it fails
>> everytime. So I'm wondering is what is AD sending back to RADIUS.
>> Any help would be great.
>
> AD does not save or know the password, only the hash value. In fact, the
> password is never sent over the network from the client. If someone
> monitors the network, they see only the hash.
>
> I forget the details, but the DC may return a salt value to the client
> required to generate the hash.
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
> --
>
>


Top