We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Requirements for a successful MS-CHAP domain join

  • Type: Knowledgebase
  • Date changed: 7 months ago
Solution #00005263 
This solution replies to:
- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x


Which requirements are needed for a successful domain join with MS-CHAP?


There are several settings needed to provide a working MS-CHAP authentication.


Configuration at "Config" > "Box" > "Infrastructure Service" > "Authentication Service":

- The "MS-CHAP" authentication configuration must use the "MSAD" helper scheme;

- The "MSAD" authentication configuration must set the option "Use MSAD-groups with NTLM" to "yes";

 - If you have more than one AD-servers configured in the MSAD scheme, just the first will be used for MSCHAP

 - The MSAD server IP, the MSCHAP server IP and the WINS server IP are normaly equal;

 - The MSAD/MSCHAP/WINS server and the NG firewall must have the same system time;

 - Use the MSAD itself as DNS-server for your NG firewall if possible;

Checking the firewall history and command line interface:

 - There must not be communcation-drops or timeouts between box and AD-server(s) on port 389 and 3268;

 - The NG firewall must be able to resolve the MSAD/MSCHAP/WINS server (forward and reverse direction);

  ping <IP of MSAD/MSCHAP/WINS server>

  host <hostname of MSAD/MSCHAP/WINS server>

 - The MSAD/MSCHAP/WINS server must be able to resolve the NG firewall (forward and reverse direction);

  ping <IP of the NG firewall>
  nslookup <hostname of the NG firewall>


 - the command "hostname -fi" must return the IP which the DNS-record points to;

- The NG firewall must be able to resolve the following FQDN: _ldap._tcp.dc._msdcs.<domain-realm>
   Check this with the following commands on the box:


    set type=srv


    You should see an answer like this: 

  _ldap._tcp.dc._msdcs.<domain-realm> service = 0 100 389 <FQDN of MSCHAP server>


- Sometimes after failed domain joins a "hard" reset of the on box stored configuration is necessary. To do so enter the following commands in CLI:


  rm -rf /var/lib/samba/*
  mkdir /var/lib/samba/private
  chmod 700 /var/lib/samba/private
  mkdir /var/lib/samba/winbindd_privileged
  chmod 750 /var/lib/samba/winbindd_privileged
  chgrp logs /var/lib/samba/winbindd_privileged
  mkdir /var/lib/samba/scripts
  /etc/init.d/winbind restart
  phionctrl box block phibs


- Ensure that there are no winbind-processes running:

  ps -A grep winbind  


    ... if so, kill it:


  killall -9 winbind
  phionctrl box start phibs 


    You also have to delete the created computer account on your MS-AD.


- If domain join is still not successful do the above described "hard reset" and join the box with debugging enabled. To do so use the command below; after that analyse the netjoin.txt which is now located in your working directory.


  net ads join -U <join-user>%<join-password> -d 5 >& netjoin.txt


- another way, if it still fails:

  net ads join -I <DC-IP> -U <join-user>%<join-password> -d 5 >& netjoin.txt



Link to This Page: