Home Forums OS X Server and Client Discussion Questions and Answers A question about Kerberos authentication and VPN

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • August 6, 2008 at 4:34 pm #373654
    iain
    Participant

    I was wondering how one goes about configuring Kerberos authentication for VPN w/o exposing the KDC on public DNS or a world-routable IP address.

    If edu.mit.Kerberos points to the kdc, an internal network address (say 10.0.0.1), how can it authenticate when the vpn is not yet established? It would seem the IP would have to be mapped to an external, publicly-routable address, with port 88 allowed in. Is this what most people do to allow Kerberos authentication for VPN connections, or is there something obvious I am missing here?

    Thanks,

    -Iain

    August 6, 2008 at 5:34 pm #373659
    iain
    Participant

    Thanks for the response, I thought as much, unfortunately. We’ll have to consider the risks of this, assuming it would pass a PCI audit.

    The primary motivator for considering this is an intermittent issue we’re experiencing with the MS-CHAPv2 plug-in (wrong-sized secret 32 error) on OD. Hopefully I’ll get some response, positive or negative, from Apple on that issue. Either there are few people using Server in that configuration, or I’m overlooking something.

    Thanks again, great site.

    -Iain

    August 17, 2008 at 4:51 pm #373778
    wstrucke
    Participant

    did you ever get a response from apple on the “wrong-sized secret 32” error in the odm system log? I’m seeing that repeatedly on my 10.5.4 server while NTLMv2 authentication fails (with correct passwords)

    August 17, 2008 at 10:47 pm #373780
    iain
    Participant

    I have not received a reply from Apple on this yet.

    It’s unfortunate to hear this might be more widespread than simply an issue with the MS-CHAPv2 plug-in.

    If you do file a bug report at radar.apple.com, you can reference my filed report id of 6112273 as additional ammunition.

    Does resetting the user’s password in WGM fix the problem, even by re-typing the same password? Is this issue affecting all users authenticated through OD?

    We ended up adding local records to the VPN server to deal with this problem, so they have a separate password for their VPN connections. Annoying, but workable for now.

    Unfortunately the problem came up at seemingly random times, and was not reproducible. This made it very hard to provide a compelling argument to Apple. We really could not isolate anything in the logs, apart from that wrong-sized secret issue in system.log.

    Good luck,

    -Iain

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.