Azure AD Authentication with PEAP-MSCHAPv2

Azure Active Directory authentication with PEAP-MSCHAPv2

This tutorial provides instructions on how to make PEAP-MSCHAPv2 authentication work with IronWiFi and Azure AD Domain Services.

  • enable Azure AD Connector
  • enable Azure AD Domain Services
  • create CentOS virtual machine
    • Make sure to choose the same resource group as in your Azure AD Domain Services, but different subnet.
    • Allow ports 80 and 443 by executing these command iptables -A INPUT - p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT - p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  • create AAD domain admin user bob

Join Linux machine to Domain

Follow instructions from this page - You may need to change bob's password before executing 'kinit'

Update /etc/hosts and add machine information

echo " ironwificentos" >> /etc/hosts

Install required packages on Linux machine

sudo yum install realmd sssd krb5-workstation krb5-libs oddjob oddjob-mkhomedir samba-common-tools

Discover the AAD Domain Services managed domain. In your SSH terminal, type the following command:


Update kerberos config file /etc/krb5.conf

dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}

kdc =
admin_server =
default_domain =

  • Initialize Kerberos. Try to get a valid Kerberos ticket for your active directory administrator account,

Configure SAMBA and WINBIND

  • update /etc/resolv.conf, add "search"
  • update /etc/samba/smb.conf
workgroup = TESTGMAIL
security = ads
winbind use default domain = yes
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
passdb backend = tdbsam
template shell = /bin/bash
idmap uid = 100000-200000
idmap gid = 100000-200000
template homedir = /home/%U

printing = cups
printcap name = cups
load printers = yes
cups options = raw

Create service startup script and restart Samba and Winbind

service samba enable
service winbind enable

service samba restart
service winbind restart
  • Joing the Linux machine to domain
net join -w -U

Test authentication

wbinfo -a 'bob%__PASSWORD__'
plaintext password authentication succeeded
challenge/response password authentication succeeded

Installing the web server

Install the EPEL repository

yum install epel-release -y

Import the EPEL GPG key

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

Install the Lighttpd web server

yum install lighttpd -y

Open /etc/lighttpd/lighttpd.conf and disable IPv6

#server.use-ipv6 = "enable"

Start the service and create startup links

systemctl enable lighttpd
systemctl start lighttpd

Install the PHP-FPM and FastCGI packages

yum -y install php-fpm lighttpd-fastcgi

Open /etc/php-fpm.d/www.conf

nano /etc/php-fpm.d/www.conf

... and set user and group to lighttpd:

; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
; RPM: apache Choosed to be able to access some dir as httpd
user = lighttpd
; RPM: Keep a group allowed to write in log dir.
group = lighttpd

Create the system startup links for PHP-FPM and start it:

systemctl enable  php-fpm.service
systemctl start php-fpm.service

Configuring Lighttpd to Work With PHP

To enable PHP to work with Lighttpd web server, we will need to make few configuration changes. Open your /etc/php.ini file in your favorite editor:

nano /etc/php.ini

Look for the following lines in the configuration:

    ; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  $
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not $
; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Se$
; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A sett$
; of zero causes PHP to behave as before. Default is 1. You should fix your s$

Uncomment the line


to make it


Save the file and exit the editor.

Now open another file /etc/lighttpd/conf.d/fastcgi.conf using your favorite editor.

nano /etc/lighttpd/conf.d/fastcgi.conf

Now look for the following lines in the file:

server.modules += ( "mod_fastcgi" )

Add the following lines just below the above line:

fastcgi.server += ( ".php" =>
"host" => "",
"port" => "9000",
"broken-scriptfilename" => "enable"

Save the file and exit from editor:

Now open /etc/lighttpd/modules.conf file using your favorite editor.

nano /etc/lighttpd/modules.conf

Look for the following lines in the file:

## FastCGI (mod_fastcgi)
#include "conf.d/fastcgi.conf"

Uncomment #include "conf.d/fastcgi.conf" to make it look line include "conf.d/fastcgi.conf". Save the file and exit from editor.

Now restart PHP-FPM and Lighttpd using the following command.

systemctl restart php-fpm
systemctl restart lighttpd

Now to verify if Lighttpd is configured to use PHP-FPM, you will need to view your php information. Create a new file in your document root directory which may be /var/www/htdocs or /var/www/lighttpd according how you have configured it before.

nano /var/www/lighttpd/ntlm.php

Now add the following php code into the file.

$pos=strrpos($_GET['username'], "\\");
if ($pos == true){
$cmd = "/bin/ntlm_auth --request-nt-key --username=$username --challenge=$challenge --nt-response=$response 2>&1";
$ouput = exec("$cmd",$out,$ret);
echo $out[0];

If you have SELINUX enabled, allow lighttpd access winbind

setsebool -P httpd_mod_auth_ntlm_winbind 1

Now browse the following file through frontend using your favorite web browser. Go to the following URL.


You will see following message. This shows that you have a working Lighttpd web server with PHP-FPM.

hex decode of  failed!

Return to the IronWiFi console and set the Bridge URL value in your Azure Connector.

Bridge URL:    http://your-IP-addr/ntlm.php