Captive Portal with Active Directory [RESOLVED]

Home Page Forums Network Management ZeroShell Captive Portal with Active Directory [RESOLVED]

This topic contains 0 replies, has 0 voices, and was last updated by  ckoeber 7 years, 8 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #43135

    ckoeber
    Member

    Hello,

    I have successfully configured a ZeroShell instance to be a captive portal within a wireless network using Radius authentication via a proxy system. I would like to add an additional Microsoft Active Directory domain using Kerberos but I cannot get authenticated on that domain. Here are the steps I followed:

    (1). Under time, I ensured that the NTP settings are set to sync with the active directory domain controllers.

    (2). The DNS setup has the Active Directory server listed as (ANY) for the forwarding. The Active Directiry server runs a DNS service which runs the standard DNS service for the network as well as for access to the internet.

    (3). Under the REALMS section in Kerberos 5, I have the domain listed with the primary domain controller listed as the KDC. I have tried both the IP of the domain controller (with the DNS Discovery option set to no) and the FQDN of the domain controller ( with the DNSD discovery option set to yes).

    (4). Under the Authentication tab for the Captive Portal section, I have the domain name, in all caps, listed in the Authorized Domains with “External Kerberos 5 Realm” checked as the domain type.

    Now, after all of this, I cannot get a user authenticated to the active directory realm. The log file lists this error message:

    19:04:53 AS: trying Kerberos 5 (External KDC) authentication for user@ACTIVEDIRECTORYDOMAIN.COM (Client: xxx.xxx.xxx.xxx)
    19:04:53 AS: kinit(v5): Password incorrect while getting initial credentials

    Any idea of what I might need to change?

    Thanks.

    Regards,

    Chris K.

    #51969

    ckoeber
    Member

    It turns out that what I did does work with the exception of a small subset of accounts I tried.

    Thank you for anyone who has taken time to look at this.

    Regards,
    Christopher Koeber

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.