NTLMv2 Authentication in Linux

Similar Messages

• NTLMv2 authentication from linux

  Hello All,
  I spent good amount of time on Internet tyring to figure this out, without any success. So i thought i would better ask.
  We use corporate proxy to access internet. We have both linux & win box. We access internet from linux, via firefox, after authenticating with our win domain id/pass.
  Recently our proxy authentication module was upgraded/configured to accept only NTLMv2. After this, firefox keeps on prompting for id/pass as if we provided in-correct credentials.
  From whatever i read, NTLMv2 is an authentication protocol. A bit advanced from LM or NTLM protocols.
  So i am not sure whether firefox doesn't support NTLMv2 or should i install some package helping firefox to speak NTLMv2 or i am missing something.
  Cheers,
  Uday.

  It's an old post but the basic problem is that the code shown doesn't implement NTLMv2 authentication at all. It just implements basic password authentication.
  Does anyone know whether Sun's Linux implementation of JDK 1.6 supports NTLMv2 authentication protocol?@OP: you should have read the link you provided! It clearly says that NTLM authentication via java.net.Authenticator only works on Windows platforms, and it works by not calling your installed Authenticator. If yours gets called, it is not working or not available.
  There are other problems:
  public static PrintStream setupPrintStream( String fileName ) throws FileNotFoundException
  PrintStream out  = null;
  File        file = new File( fileName );
  file.delete();
  FileOutputStream stream  = new FileOutputStream(fileName, true);
  out     = new PrintStream( stream );
  return out;
  }All that could be reduced to new PrintStream(new FileOutputStream(fileName), false). You don't even need the method.

• WLS .2 MP1: Windows NT authenticator on LINUX

  We have configured Windows NT authenticator on a LINUX host and getting below error. Would like to know if it can be configured for Linux OS or is it specific to Windows OS only.
  If we can configure it on Linux OS, which library is it missing here?
  Weblogic Version : 9.2 MP1
  config.xml entry:
  <sec:authentication-provider xsi:type="wls:windows-nt-authenticatorType">
  ERROR:
  <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: java.lang.UnsatisfiedLinkError: no wlntauth in java.library.path
  java.lang.UnsatisfiedLinkError: no wlntauth in java.library.path
  at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1682)
  at java.lang.Runtime.loadLibrary0(Runtime.java:822)
  at java.lang.System.loadLibrary(System.java:993)
  at weblogic.security.providers.authentication.NTAuthenticatorDelegate.loadlib(NTAuthenticatorDelegate.java:1847)
  at weblogic.security.providers.authentication.NTAuthenticatorDelegate.updateConfigSettings(NTAuthenticatorDelegate.java:534)
  Truncated. see log file for complete stacktrace

  The same trouble. Is it possible to setup Windows NT Authentication on LINUX based server?

• NTLMv2 Authentication Linux

  I am creating a web services client in Java that is intended to extract data from a sharepoint site. My code works in the windows environment but not in the Linux environment
  I am using Jboss 4.3, jdk1.5.0_14, Linux 2.6.18-53.el5
  I see error message in server log: "*exception in input streamjava.io.IOException: Server returned HTTP response code: 500 for URL: http://MySite/sites/appsite/_vti_bin/Lists.asmx*"
  Java code is as follows:
  URL u = new URL(targetURL);
  URLConnection uc = u.openConnection();
  HttpURLConnection connection = (HttpURLConnection) uc;
  connection.setDoOutput(true);
  connection.setDoInput(true);
  connection.setRequestMethod("POST");
  connection.setRequestProperty("SOAPAction", actionPath);
  connection.setRequestProperty("Content-Type", "text/xml; charset=ISO-8859-1");
  StringBuffer sb= new StringBuffer();
  sb.append("<?xml version='1.0' encoding='utf-8' ?>");
  sb.append("<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">");
  sb.append("<soapenv:Body>");
  sb.append(payload.toString());
  sb.append("</soapenv:Body>");
  sb.append("</soapenv:Envelope>");
  String paramStr= sb.toString();
  String lengthString = String.valueOf(paramStr.length());     
  connection.setRequestProperty("Content-Length", lengthString);
  OutputStream out = connection.getOutputStream();
  wout = new OutputStreamWriter(out);     
  wout.write(paramStr);
  wout.flush();
  wout.close();     
  in = connection.getInputStream();
  sb =new StringBuffer();

  Hi
  I will try to brief you down the problem here. I have java web application which talks to (Microsoft) Share point back end through Webservices. The Security (Authentication) level for Share point server is set to NTLM v2.0. I am using JDK 1.5.0_14, Jboss 4.3 under Linux Platform.
  I use HttpURLConnection to establish connection with share point server. I have attached the code snippet in my previous post. When I run my application under Windows platform, i can establish server connection and talk to share point successfully. However, my target environment is Linux. When I test my code in Linux I am not able to talk to share point. All I can see in my server logs is "Response code is 500". On a side note if I try to bring down my NTLM version in share point from V2.0 to V1.0, my application works both in Windows and Linux.
  I have tried looking at various sites and didn't find concrete answer for this issue. I think the JDK version of Linux use "*sun.net.www.protocol.http.HttpURLConnection*" whereas windows JDK use "*java.net.HttpURLConnection*". There could be some differences in Linux Jdk which is not able to talk to NTLM type authentication
  Please share thoughts and solution

• SQL Developer: Windows Authentication on Linux

  Hello.
  I have trouble getting SQL Developer to authenticate using "windows authentication" and a MS SQL server 2005. I'm on a Linux OS. Authenticating "normally" is no problem, however only windows authentication will be allowed in near future. Does anyone have success using this option? It simply gives me an error that it is unable to login.
  Hope anyone can be of help. Thanks in advance.
  Stefan

  Just wondering why the option would be there in the linux version (which is different in other areas than the windows one).
  Is it not possible using Kerberos perhaps?
  regards

• IPSec Certificate Authentication from Linux Strongswan client to Windows Advanced Firewall (2012)

  Hi,
  Has anybody had any success in getting a Linux Strongswan client (or Openswan) to connect to a win2012 Advanced Firewall using certificates and IPSec?  My Security Connection Rule requires authentication both inbound and outbound.  The cert is
  installed correctly on the Linux box.
  I can get a connection using pre-shared keys, but haven't been able to establish a Quick Mode session when using certs.  I've tried (literally) hundreds of different configs without success.  Event log shows either 'No Policy Configured' or 'Unknown
  Authentication'.
  Windows clients can connect correctly with certs.  I've deliberately excluded details as the Linux config can be setup in so many different ways, i'd rather start by looking at someone elses config that works (if that actually exists).
  Thanks
  Mick

  Hi,
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
  Thanks for your understanding and support.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Message signature for NTLMv2 Authentication message

  Hi,
  I'm implementing NTLMv2 support for SMBv2 and I have encountered some problems calculating the correct checksum for the authentication message. 
  Authentication packet:
  4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 AE 00 00 00 42 01 42 01 C6 00 00 00 1E 00 1E 00 58 00 00 00 1A 00 1A 00 76 00 00 00 1E 00 1E 00 90 00 00 00 10 00 10 00 08 02 00 00 15 82 88 E2 06 01 B1 1D 00 00 00 0F 57 7C 17 17 5E DF 25 D8 8C 06 8D E6 75 5F
  62 65 57 00 49 00 4E 00 2D 00 34 00 37 00 50 00 30 00 39 00 4E 00 51 00 42 00 4B 00 49 00 38 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 57 00 49 00 4E 00 2D 00 51 00 32 00 33 00 49 00 36 00 4F 00 34 00 55 00 55 00 44 00
  53 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 67 E7 1D 8A 39 CC A0 52 A7 01 51 02 E9 5A DF 7B 01 01 00 00 00 00 00 00 7F D2 02 FD 80 6C D0 01 2A 01 01 16 D7 E9 11 F7 00 00 00 00 02 00 1E 00 57 00 49 00 4E 00 2D 00 34 00 37 00
  50 00 30 00 39 00 4E 00 51 00 42 00 4B 00 49 00 38 00 01 00 1E 00 57 00 49 00 4E 00 2D 00 34 00 37 00 50 00 30 00 39 00 4E 00 51 00 42 00 4B 00 49 00 38 00 04 00 1E 00 57 00 49 00 4E 00 2D 00 34 00 37 00 50 00 30 00 39 00 4E 00 51 00 42 00 4B 00 49 00 38 00
  03 00 1E 00 57 00 49 00 4E 00 2D 00 34 00 37 00 50 00 30 00 39 00 4E 00 51 00 42 00 4B 00 49 00 38 00 07 00 08 00 7F D2 02 FD 80 6C D0 01 06 00 04 00 02 00 00 00 08 00 30 00 30 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 20 28 45 5A F8 71 0C F9 CC 5A EB A1
  F5 FB C3 17 49 CE 76 FF 1B 32 31 4D 52 E7 0E D8 B0 BA C5 F9 0A 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 00 22 00 63 00 69 00 66 00 73 00 2F 00 31 00 39 00 32 00 2E 00 31 00 36 00 38 00 2E 00 31 00 2E 00 31 00 31 00 00 00 00 00 00 00 00 00
  00 00 00 00 03 AC 9B EA 78 DD DF 49 BB D8 2D 66 0C 4F 22 61 
  By offline testing of packets I was able to get 
  ExportedSessionKey: 945d257f88b6be1a4b201748e3f134c5
  and from there calculate the correct MIC (based on the negotiation,challenge and authentication messages).
  But now when I am trying to calculate the checksum for the message signature I can't get this right.
  The SignKey equals to md5(concat(ExportedSessionKey,"session key to client-to-server signing key magic constant")):
  2643d035ac56345368b321df5059f9b0
  The SealKey equals to md5(concat(ExportedSessionKey,"session key to client-to-server sealing key magic constant"))
  dbb66166a80c4be9b876a6f4ec1dd3a5
  and the sequence number is: 0
  I'm using this function to calculate the checksum:
  rc4(sealKey,hmac_md5(SignKey,concat(Sequence Number,message) ) ) [0 .. 7] = 0790d273a21186ce
  That's an incorrect checksum, the real checksum should have been: 524102bf5e86c109 (captured from the packet).
  These are the negotiation flags of this session that are set:
  NegotiateUnicode,RequestTarget,NegotiateSign,NegotiateNTLM,NegotiateAlwaysSign,NegotiateNTLM2,
  NegotiateTargetInfo,NegotiateVersion,Negotiate128,NegotiateKeyExch,Negotiate56
  The only thing I wasn't sure about is if I need to calculate the checksum from the message with Z(16) instead of the mic or with the real calculated mic. Nevertheless I don't get the checksum on both ways.
  I've also added the packets from the relevant session.
  https://www.dropbox.com/s/eepcpmim3rj2zkd/ntlm.cap?dl=0
  Thanks in advance!

  Hi Guy:
  The details for how to calculate a MechListMIC are described in RFC 4178 (http://www.rfc-editor.org/rfc/rfc4178.txt) section 5(a).
  Any details specific to Windows are described in MS-SPNG (https://msdn.microsoft.com/en-us/library/cc247021.aspx) documents.
  I will give you an example here how the client calculates MechListMIC in case of NTLM.
  For this example, I used an actual SMB2 session set up exchange. If you need the network trace that I used, please send an email to dochelp at microsoft dot com to my attention referencing this thread.
  server challenge: 0x91, 0xA7, 0xB5, 0xA0, 0x93, 0xD1, 0x28, 0x73
  Password: Password01!
  client's MechTypes from first session set up message : 30 0C 06 0A 2B 06 01 04 01 82 37 02 02 0A
  Security blob from the session set up command that contains the authenticate message:
  A1 82 01 CD 30 82 01 C9 A0 03 0A 01 01 A2 82 01
  AC 04 82 01 A8 4E 54 4C 4D 53 53 50 00 03 00 00
  00 18 00 18 00 86 00 00 00 FA 00 FA 00 9E 00 00
  00 0C 00 0C 00 58 00 00 00 06 00 06 00 64 00 00
  00 1C 00 1C 00 6A 00 00 00 10 00 10 00 98 01 00
  00 15 82 88 E2 06 03 80 25 00 00 00 0F 82 C4 C5
  F7 7B 08 49 FD A2 87 0E A3 05 EC 77 AB 66 00 6F
  00 72 00 4D 00 44 00 4D 00 61 00 62 00 63 00 4D
  00 49 00 4E 00 49 00 4E 00 54 00 2D 00 36 00 37
  00 31 00 30 00 38 00 46 00 4B 00 00 00 00 00 00
  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  00 00 00 30 0B A0 EF 0B 39 38 45 54 E6 ED 4F B4
  FD 6D B6 01 01 00 00 00 00 00 00 72 23 6C 58 68
  6D D0 01 B5 FF F2 9D 10 1B 35 60 00 00 00 00 02
  00 0C 00 46 00 4F 00 52 00 4D 00 44 00 4D 00 01
  00 0C 00 46 00 4F 00 52 00 4D 00 44 00 4D 00 04
  00 0C 00 66 00 6F 00 72 00 4D 00 44 00 4D 00 03
  00 0C 00 66 00 6F 00 72 00 4D 00 44 00 4D 00 07
  00 08 00 72 23 6C 58 68 6D D0 01 06 00 04 00 02
  00 00 00 08 00 30 00 30 00 00 00 00 00 00 00 01
  00 00 00 00 20 00 00 15 7C 95 BD E7 02 DE 3B C9
  8D F1 46 91 04 AC 4D 16 61 03 F1 BF 42 77 85 B2
  82 B7 83 2E CB 1E 3F 0A 00 10 00 00 00 00 00 00
  00 00 00 00 00 00 00 00 00 00 00 09 00 22 00 63
  00 69 00 66 00 73 00 2F 00 31 00 39 00 32 00 2E
  00 31 00 36 00 38 00 2E 00 31 00 2E 00 34 00 30
  00 00 00 00 00 00 00 00 00 00 00 00 00 8E 07 9F
  C9 F1 50 97 65 F3 BD A8 C1 32 8A 52 56 A3 12 04
  10 01 00 00 00 3B 1F D5 E0 2D 97 5F 97 00 00 00
  00
  My calculation are from servers perspective. Everything server needs to verify client's MechListMIC
  is in the security blob and what is not in blob is already with the server (password, server challenge and client's MechTypes sent in an earlier message).
  The KeyExchangeKey is NTLMv2 session base whose calculation is described in MS-NLMP (https://msdn.microsoft.com/en-us/library/cc236621.aspx) section "3.3.2 NTLM v2 Authentication"
  KeyExchangeKey (NTLMv2 session base key)=ad6e6c75872afd2178533d2ebb8ad9ad
  Using KeyExchangeKey to RC4 decrypt the Encrypted Random Session key, we get
  Random Session Key: c7 9a 31 b6 8d b6 4e 3f 84 66 be a3 b2 22 3b c1
  Using Random session key above and description in MS-NLMP, we calculate the signing and sealing keys.
  Server Signing Key: 69 cb 53 69 d5 18 75 04 dc 7e 61 03 33 10 53 e9
  Server Seal Key: 35 4e c9 d1 86 2d 4f a5 98 25 87 c4 b5 35 f2 33
  Client Signing Key: a2 b2 1a ed a9 ec d3 f1 3d ff c3 3d e0 1b 59 30
  Client Seal Key: 1e bb c6 f3 65 5b dc 13 b3 5b e4 e2 24 eb 71 e2
  Now using the client signing and sealing keys, we proceed to calculate the NTLM signature of client's MechTypes as described in MS-NLMP section "3.4.4.2 With Extended Session Security":
  Message number is 00 00 00 00
  MechList with 0000 concatenated:
  00 00 00 00 30 0c 06 0a 2b 06 01 04 01 82 37 02 02 0a
  HMAC_MD5 of the above using client signing key (first 8 bytes): 28 d5 e1 57 a4 d4 58 24
  checksum (RC4 encrypting the above using Client Sealing key): 3b 1f d5 e0 2d 97 5f 97
  MechListMIC by appending version and sequence: 01 00 00 00 3b 1f d5 e0 2d 97 5f 97 00 00 00 00
  As you can see this matches with what client sent.
  Please let me know if it does not answer your question.
  Regards, Obaid Farooqi

• Connecting to MSSQL Windows authentication from Linux

  Hi,
  From linux (OIM) environment we need to connect to window authenticated MSSQL server.In windows we set sql.dll file.How to do in linux?
  Thanks!

  There is a database library that can provide you with the additional options. It's here http://jtds.sourceforge.net/
  With it, you can provide domain authentication credentials.
  -Kevin

• NTLMv2 Authentication on Windows7

  I am using Windows7(64 bit) as the client machine with authentication level set to "send ntlmv2 response only. refuse lm". I need to write server side code for a java web application that accepts NTLMv2 and extract username, domain, workstation etc details from the HTTP header part of the request. This is in Java 1.6. I searched in google, but could not get the right solution. Pls help me writing the code..
  Thanks
  Sundeep

  While I haven't used it myself, the Apache HTTP components project claims to support NTLMv2 - http://hc.apache.org/httpcomponents-client-ga/ntlm.html.

• How to use windows authentication to MSSQL2008 from oim running in Linux

  Hi All,
  We have developed the code (in eclipse) in local windows machine to call sample stored procedures in MSSQL.The code works fine from client and are able to create, update users in MSSQL from windows.
  We have OIM 11g R2 installed in Linux 6 on local VM. The question is while building the jar from the code and placing it in Java task directory of OIM, calling thr Code we need sql.dll file to implement the windows authentication(no user name & pwd) to connect to MSSQL, but this is not possible in Linux since the jar don't support.
  Can any one please give suggestions on this to implement windows authentication from Linux through OIM server.
  Edited by: 970422 on Nov 8, 2012 11:39 PM

  I have no idea, but you might find it helpful to read Redhat's documentation concerning this subject:
  http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-ldap.html

• How to use different (not local) user for NTLM auth in Authenticator?

  Hi All,
  I use custom authenticator to provide user / passwords to connect to .NET Web Services. I overloaded function getPasswordAuthentication() that returns right user / password combination for the requested URL. It all works perfectly for many kinds of HTTP connections: basic, ntlm, ntlm-v2, through proxy, ssl, etc.
  My problem is that during NTLM authentication from Windows computers JVM uses credentials of the currently logged in domain user instead of calling Authenticator to get other user / password provided by the user. In case when local user credentials fail to authenticate, JVM calls my Authenticator but in case authentication is successful it does uses local domain user and never calls my Authenticator. The issue is when this local domain user does not have enough permissions but authenticated correctly there is no way to supply JVM with another user to begin with.
  What can I do to force JVM to ignore local domain user and to use Authenticator to collect credentials during NTLM authentication requested by the server in case the software runs on a Windows box with currently logged in domain user?
  I am looking for the answer for a long time already but found only questions and suggestions to switch server from NTLM authentication which is not an option for me. From the developer's view it has to be pretty simple change for Sun to do in Java networking API. Is there any way to escalate it to Sun support? Maybe there is some property in some JRE patch level that allows to do this?
  Thank you very much!
  Mark

  Thank you for the reply. I have kind of an opposite problem. I can perfectly connect from Linux computers to Microsoft IIS servers using NTLM or even NTLMv2 authentication. My problem is connecting from Windows client computer joined to the same domain as IIS server with the domain user logged in to this computer. In this case this user account will be used in any HTTP connections I initiate to this IIS server instead of the one that I want to supply in my custom Authenticator.
  I have graphical interactive application that connects to IIS Server. When user runs it and connects to IIS server I want to prompt for the user/password regardless whether JRE may correctly authenticate using current user account credentials. The current user may not have enough permissions in IIS application so I want to use different user to login to IIS application.
  Thank you anyway,
  Mark

• Unable to authenticate to https sites using ntlmv2 on Mac OS 10.6 and Firefox 11.0

  I am using a Mac with OS X 10.6. The Firefox version is 11.0.
  we cannot authenticate to https:// sites that require NTLMv2. We were able to use Firefox on the Mac to authenticate to https:// sites until our organization dropped NTLMv1 and required the use of NTLMv2. The problem on the PC was corrected by using the NTLM plugin but we have never managed to correct the problem on the Mac. The operating system does not appear to be the problem since Safari can authenticate to these sites. I have added the https:// url to the network.negotiate-auth.delegation-uris, network.negotiate-auth.trusted-uris and the network.automatic-ntlm-auth.trusted-uris parameters (which is necessary to correct the problem on the PC). After reading the thread about ntlmv2 authentication in Lion I also set network.automatic-ntlm-auth.allow-proxies and network.negotiate-auth.allow-proxies to false but I still can't authenticate. I also tried creating an nsmb.conf file in /etc with minauth=ntlmv2

  Hi
  Thanks for the posts. I set network.ntlm.send-lm-response to TRUE but the behavior was the same. I changed https:// to http:// and made sure there were no trailing /'s but still cannot authenticate

• Get data from Sharepoint site in different farm using webservice, and current site using claims mode authentication.

  Hi , 
  I have a site that runs on   Claims Mode (  NTLM) . That site has a web part that needs to show the data from any  sharepoint farm, SharePoitn  2010 , or 2007 or 2003.
  I am getting 401 unauthorized when I   try to get data from webservice running in sharePoint context.
  But when I run the same code in  Windows Console application  then it is giving no error.
  What I doubt is that this issue is due to the reason that I have  set
  claims mode authentication.
  Because same code is running  in different farm in a site that is configured  using windows authentication.

  So generally speaking, you're talking about a VERY long running topic of authentication methods... and generally speaking, in the world of Windows, the only long running authentication options have been:
  - NTLM (limited to one hop)
  - Kerberos (unlimited hops)
  - Application level authentication (ex: SQL auth, also, no hops)
  Recently, Microsoft has been investing in Claims Based Auth... and I fully expect claims to start working their way into other systems (previously starting to work into Windows via the CardSpace technology, but also in other ways such as Win8's ability to
  log in with a LiveID)... but building a new authentication method into ALL applications is a VERY long process, and the complexity of claims adds a LOT of consideration (claims from the same AD can look VERY different depending on the STS, so lots of questions
  around things like bridging claims).
  So as far your SP auth needs...
  IF both applications are CLAIMS AWARE, then you MAY be able to use claims (which support unlimited hops)... but that's just not very likely yet (and will probably take another 5-10 years to be available across the entire enterprise)... otherwise, KERBEROS
  Outside of the Microsoft world... KERBEROS is open spec, so is supported by other systems (such as authenticating to linux)... claims based auth is also open spec, but again, still new... there are a few other options (LDAP, etc), but none that are native
  to Windows (so you rely on things like third party auth modules for Windows, which Novell has done for DECADES with NDS and eDir)
  And again, SharePoint can convert claims to Kerberos using the C2WTS... which MS uses internally for things Excel Services connecting to a backend SQL server... but it DOES require the Kerb and C2WTS configuration.
  if you're having issues using Kerb auth... then it sounds like Kerb isn't configured correctly... and Kerb is a PAIN to configure (whitepaper for SP Kerb is ~100 pages long)... IIS (and SharePoint) also has the added benefit of failing over to NTLM if Kerb
  fails (and you shouldn't disable this behavior, since it'll break other settings elsewhere)
  Scott Brickey
  MCTS, MCPD, MCITP
  www.sbrickey.com
  Strategic Data Systems - for all your SharePoint needs

• ACS 4.0 to NT Domain with NTLMv2 problem.

  I am trying to authenticate users from a VPN Concentrator (3030) to our NT Domain. We are not running AD yet but we are required to use NTLMv2 authentication on the Domain.
  I want to use ACS4.0 to authenticate Radius w/Expiry from the VPN concentrator and let ACS handle the NTLMv2 part.
  In ACS I have defined my Domain in the External Users Database, I have defined the Unknown User Policy to use the Windows Database, and I have defined the Group Mapping to point to the default group.
  When I run the Authentication test from the VPN setup screen I get a failed request.
  In the CSAuth log I am getting:
  AUTH 02/16/2006 15:13:42 E 0376 1572 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
  AUTH 02/16/2006 15:13:42 E 0376 1572 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
  With NTLMv2 turned off and running ACS 3.2 this setup is working (My production network) My only reason for upgrading to ACS4.0 was the NTLMv2 portion.
  Does anyone have any advise? thanks!

  Please make sure you read this Field Notice:
  http://www-tac.cisco.com/Support_Library/field_alerts/fn62167.html
  Note that, despite the Windows URL mentioning only 2003 server, the 2000 server also supports NTLMv2. Therefore, the following scenarios apply:
  - DC on Win 2003 SP1 - don't require any hotfix since it's included in SP1
  - DC on Win 2000 SP4 - don't require any hotfix since it's included in SP4
  - DC on Win 2003 - require hotfix KB893318

• Problem authenticating against FreeBSD NIS Server

  Hello,
  We are having problems authenticating Oracle Linux 5.7 32 bits agains a FreeBSD NIS Server, which works without problems with another Linux (CentOS, Gentoo...)
  Our Oracle Linux server binds without problems to the NIS domain and we can retrieve all the maps, but when we try to login using ssh, gdm or in console we get that the password is incorrect...
  Any clues on what is happening?

  Hello, i finally have discovered what was happening, it has to be with the way FreeBSD passes the password field. By default FreeBSD passes the password field with a '*' while Oracle Linux (and Red Hat clones) expect an 'x' to look into shadow maps (Linux uses the '*' character in the password file to not allow login to that user).
  To solve it the password field served by the NIS server must be substituted, which is accomplished with nsswitch.conf and adding a line to the /etc/password file on the NIS Client, so the final files will look this way:
  # nsswitch.conf (compat directive allows us to use the '+' sintaxis in /etc/passwd file)
  passwd files compat
  # /etc/passwd (just add at the end of file)
  +:x:::::