[EMAIL PROTECTED] wrote: > About the client, when I turn the computer on, I have to type in the user > credentials, the same ones that I use when testing FreeRadius. > Windows sends FreeRadius the same user information in the two > cases, but the outcome is completely different and this of > course makes no sense.
Windows is *not* sending the same information in both cases. Please go back and read the debugging output. In each case, Windows is sending a random challenge, and a "response" hash. The "response" hash depends on the challenge, password, and user name, so it is different for EVERY request. Look at the debugging output, and type in the "ntlm_auth" lines by hand on a command line (i.e. cut & paste from the debug output). One will succeed and one will fail. This is because Active Directory is deciding that one succeeds and the other fails. What is probably happening is that the Windows box is treating the user name as "user" in one case, and "DOMAIN\user" in the other. This means that the expected response calculated by Active Directory MAY use a different username than what the Windows client is using. The expected response is therefore not the same as what the Windows box sends, so authentication fails. As to how to fix it? I'm not sure. The Windows box appears to be doing something odd, and I don't know why. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html