Users no longer authenticate on W2k-svr

J

Jutta Kullmann

Hi,

I have a W2k-svr configured for VPN using RAS. I used to
be able to make PPTP connections, but all of a sudden all
my users get an error message:

Error 691: Access was denied because the username and/or
password was invalid on the domain

I retyped all passwords, but it still fails.

I don't even know where to start looking?

Thanks for any advice.
Jutta
 
S

Steven L Umbach

If the rras server is a domain computer make sure it still has connectivity to the
domain controller in that it can ping it by fully qualified domain name such as
dc1.mydomain.com. I would also run netdiag on it from the support tools on the
install cdrom in the support/tools folder where you will have to run the setup to
install them. Look for any failed tests such as dns, dc discovery, kerberos, or
domain membership/secure channel that would indicate a problem. Usually the problem
may be dns related in that domain members need to point to the domain controllers
only as their preferred dns server. There is also a security option that if changed
on the rras server that can cause a problem. Open Local Security Policy and go to
security settings/local policies/security options and make sure that the "effective"
setting for lan manager authentication level is NOT - "send ntlmv2 responses only -
refuse ntlm and lm". Setting to send ntlmv2 responses only is a good setting in a W2K
domain. --- Steve
 
J

Jutta

Thanks for your reply.

The W2k server is a standalone server which is used for
testing. No Active Directory is configured. I also
noticed, that when just using the RUN option [\\IP address
c$] and I get a login prompt, I also cannot logon. The
error I get is: Logon failure: the user has not been
granted the requested logon type at this computer.
When I login with a user locally, the same username and
password works. It seems like remote logon is somehow
disabled.

Thank you,
Jutta


-----Original Message-----
If the rras server is a domain computer make sure it still has connectivity to the
domain controller in that it can ping it by fully qualified domain name such as
dc1.mydomain.com. I would also run netdiag on it from the support tools on the
install cdrom in the support/tools folder where you will have to run the setup to
install them. Look for any failed tests such as dns, dc discovery, kerberos, or
domain membership/secure channel that would indicate a problem. Usually the problem
may be dns related in that domain members need to point to the domain controllers
only as their preferred dns server. There is also a
Click to expand...
security option that if changed
on the rras server that can cause a problem. Open Local Security Policy and go to
security settings/local policies/security options and make sure that the "effective"
setting for lan manager authentication level is NOT - "send ntlmv2 responses only -
refuse ntlm and lm". Setting to send ntlmv2 responses
Click to expand...
only is a good setting in a W2K
 
P

Phillip Windell

Prefix the username with the target machinename.

ex. User: machinename\username
Password: *******

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Jutta said:
Thanks for your reply.

The W2k server is a standalone server which is used for
testing. No Active Directory is configured. I also
noticed, that when just using the RUN option [\\IP address
c$] and I get a login prompt, I also cannot logon. The
error I get is: Logon failure: the user has not been
granted the requested logon type at this computer.
When I login with a user locally, the same username and
password works. It seems like remote logon is somehow
disabled.

Thank you,
Jutta


-----Original Message-----
If the rras server is a domain computer make sure it still has connectivity to the
domain controller in that it can ping it by fully qualified domain name such as
dc1.mydomain.com. I would also run netdiag on it from the support tools on the
install cdrom in the support/tools folder where you will have to run the setup to
install them. Look for any failed tests such as dns, dc discovery, kerberos, or
domain membership/secure channel that would indicate a problem. Usually the problem
may be dns related in that domain members need to point to the domain controllers
only as their preferred dns server. There is also a
Click to expand...
security option that if changed
on the rras server that can cause a problem. Open Local Security Policy and go to
security settings/local policies/security options and make sure that the "effective"
setting for lan manager authentication level is NOT - "send ntlmv2 responses only -
refuse ntlm and lm". Setting to send ntlmv2 responses
Click to expand...
only is a good setting in a W2K
domain. --- Steve





.
Click to expand...
Click to expand...
 
S

Steven L Umbach

Even if the computer is not part of a domain the suggestion I made about checking lan
manger authentication level still is appropriate. Otherwise the error you mention
relates to a user not having the user right for logon locally. Open Local Security
Policy and go to security settings/local policies/user rights and make sure
administrators and users are in the "access this computer from the network" user
right and that there is no entry in the "deny access to this computer from the
network" as entries there will override the allow user rights. I would also enable
auditing of logon events on that server and then view the logs in Event Viewer
[system and security] which may show that the users are being denied access and for
what reason. --- Steve

http://www.microsoft.com/resources/...wsserv/2003/datacenter/proddocs/en-us/518.asp
-- security log events for logon events.


Jutta said:
Thanks for your reply.

The W2k server is a standalone server which is used for
testing. No Active Directory is configured. I also
noticed, that when just using the RUN option [\\IP address
c$] and I get a login prompt, I also cannot logon. The
error I get is: Logon failure: the user has not been
granted the requested logon type at this computer.
When I login with a user locally, the same username and
password works. It seems like remote logon is somehow
disabled.

Thank you,
Jutta


-----Original Message-----
If the rras server is a domain computer make sure it still has connectivity to the
domain controller in that it can ping it by fully qualified domain name such as
dc1.mydomain.com. I would also run netdiag on it from the support tools on the
install cdrom in the support/tools folder where you will have to run the setup to
install them. Look for any failed tests such as dns, dc discovery, kerberos, or
domain membership/secure channel that would indicate a problem. Usually the problem
may be dns related in that domain members need to point to the domain controllers
only as their preferred dns server. There is also a
Click to expand...
security option that if changed
on the rras server that can cause a problem. Open Local Security Policy and go to
security settings/local policies/security options and make sure that the "effective"
setting for lan manager authentication level is NOT - "send ntlmv2 responses only -
refuse ntlm and lm". Setting to send ntlmv2 responses
Click to expand...
only is a good setting in a W2K
domain. --- Steve





.
Click to expand...
Click to expand...
 
J

Jutta

Thank you Steven, the user rights setting in the Local
Security Policy did it. I don't know why this would have
been blank, since I didn't change it and all used to work
before. Nobody is really using this server other than for
outbound remote access?

Now my PPTP clients authenticate and connect, however my
routed connection from my R9100 Netopia router doesn't. It
authenticates but it seems to fail on IP, when I am trying
to establish the connection from the router. When I am
establishing the connection from the RAS server, all is
working and I can ping LAN to LAN.

Any thoughts on this one?

Thanks,
Jutta


-----Original Message-----
Even if the computer is not part of a domain the
Click to expand...
suggestion I made about checking lan
manger authentication level still is appropriate.
Click to expand...
Otherwise the error you mention
relates to a user not having the user right for logon locally. Open Local Security
Policy and go to security settings/local policies/user rights and make sure
administrators and users are in the "access this computer from the network" user
right and that there is no entry in the "deny access to this computer from the
network" as entries there will override the allow user rights. I would also enable
auditing of logon events on that server and then view the logs in Event Viewer
[system and security] which may show that the users are being denied access and for
what reason. --- Steve

http://www.microsoft.com/resources/documentation/WindowsSe rv/2003/datacenter/proddocs/en-us/Default.asp?
url=/resources/documentation/windowsserv/2003/datacenter/pr
oddocs/en-us/518.asp
-- security log events for logon events.


Jutta said:
Thanks for your reply.

The W2k server is a standalone server which is used for
testing. No Active Directory is configured. I also
noticed, that when just using the RUN option [\\IP address
c$] and I get a login prompt, I also cannot logon. The
error I get is: Logon failure: the user has not been
granted the requested logon type at this computer.
When I login with a user locally, the same username and
password works. It seems like remote logon is somehow
disabled.

Thank you,
Jutta


-----Original Message-----
If the rras server is a domain computer make sure it still has connectivity to the
domain controller in that it can ping it by fully qualified domain name such as
dc1.mydomain.com. I would also run netdiag on it from
Click to expand...
the
support tools on the
install cdrom in the support/tools folder where you
Click to expand...
will
have to run the setup to
install them. Look for any failed tests such as dns, dc discovery, kerberos, or
domain membership/secure channel that would indicate a problem. Usually the problem
may be dns related in that domain members need to point to the domain controllers
only as their preferred dns server. There is also a
Click to expand...
security option that if changed
on the rras server that can cause a problem. Open Local Security Policy and go to
security settings/local policies/security options and make sure that the "effective"
setting for lan manager authentication level is NOT - "send ntlmv2 responses only -
refuse ntlm and lm". Setting to send ntlmv2 responses
Click to expand...
only is a good setting in a W2K
domain. --- Steve


Hi,

I have a W2k-svr configured for VPN using RAS. I used to
be able to make PPTP connections, but all of a sudden all
my users get an error message:

Error 691: Access was denied because the username and/or
password was invalid on the domain

I retyped all passwords, but it still fails.

I don't even know where to start looking?

Thanks for any advice.
Jutta




.
Click to expand...
Click to expand...


.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

W2K Svr - replication problem - NTDS KCC 1311 2
Error 691 - Can't authenticate 2
W2K Svr - replication problem - NTDS KCC 1311 4
new user not connecting to vpn 1
RAS Access across domains 1
VPN PPTP ERROR 930 USING DOMAIN USER 1
RAS users unable to authenticate to domain 2
Wierd VPN issue. 1

Top