It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

Requirements for a successful MS-CHAP domain join

  • Type: Knowledgebase
  • Date changed: 2 years ago
Solution #00005263 
This solution replies to:
- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x


Which requirements are needed for a successful domain join with MS-CHAP?


There are several settings needed to provide a working MS-CHAP authentication.


Configuration at "Config" > "Box" > "Infrastructure Service" > "Authentication Service":

- The "MS-CHAP" authentication configuration must use the "MSAD" helper scheme;

- The "MSAD" authentication configuration must set the option "Use MSAD-groups with NTLM" to "yes";

 - If you have more than one AD-servers configured in the MSAD scheme, just the first will be used for MSCHAP

 - The MSAD server IP, the MSCHAP server IP and the WINS server IP are normaly equal;

 - The MSAD/MSCHAP/WINS server and the NG firewall must have the same system time;

 - Use the MSAD itself as DNS-server for your NG firewall if possible;

Checking the firewall history and command line interface:

 - There must not be communcation-drops or timeouts between box and AD-server(s) on port 389 and 3268;

 - The NG firewall must be able to resolve the MSAD/MSCHAP/WINS server (forward and reverse direction);

  ping <IP of MSAD/MSCHAP/WINS server>

  host <hostname of MSAD/MSCHAP/WINS server>

 - The MSAD/MSCHAP/WINS server must be able to resolve the NG firewall (forward and reverse direction);

  ping <IP of the NG firewall>
  nslookup <hostname of the NG firewall>


 - the command "hostname -fi" must return the IP which the DNS-record points to;

- The NG firewall must be able to resolve the following FQDN: _ldap._tcp.dc._msdcs.<domain-realm>
   Check this with the following commands on the box:


    set type=srv


    You should see an answer like this: 

  _ldap._tcp.dc._msdcs.<domain-realm> service = 0 100 389 <FQDN of MSCHAP server>


- Sometimes after failed domain joins a "hard" reset of the on box stored configuration is necessary. To do so enter the following commands in CLI:


  rm -rf /var/lib/samba/*
  mkdir /var/lib/samba/private
  chmod 700 /var/lib/samba/private
  mkdir /var/lib/samba/winbindd_privileged
  chmod 750 /var/lib/samba/winbindd_privileged
  chgrp logs /var/lib/samba/winbindd_privileged
  mkdir /var/lib/samba/scripts
  /etc/init.d/winbind restart
  phionctrl box block phibs


- Ensure that there are no winbind-processes running:

  ps -A grep winbind  


    ... if so, kill it:


  killall -9 winbind
  phionctrl box start phibs 


    You also have to delete the created computer account on your MS-AD.


- If domain join is still not successful do the above described "hard reset" and join the box with debugging enabled. To do so use the command below; after that analyse the netjoin.txt which is now located in your working directory.


  net ads join -U <join-user>%<join-password> -d 5 >& netjoin.txt


- another way, if it still fails:

  net ads join -I <DC-IP> -U <join-user>%<join-password> -d 5 >& netjoin.txt



Link to This Page: