Win2K3 domain account connecting to Win2K VPN server in an NT4 dom

[Guest]

I have a Windows 2000 VPN server (running ISA 2000) that is a member of a
Windows NT 4.0 domain. I have set up a Windows 2003 Active Directory domain,
running in Native Mode, and I am testing migrating the Windows NT 4.0
accounts to the new domain. The problem is that when I migrate accounts
(with the ADMT) from NT4 to AD, those accounts can no longer be authenticated
by the VPN server. When I try to connect from the client, I receive the
following error:

Verifying username and password...
Error 930: The authentication server did not respond to authentication
request in a timely fashion.

On the VPN server, the following event is logged:

Event ID: 20073
Source: RemoteAccess
Description: The following error occurred in the Point to Point Protocol
module on port: VPN<##>, UserName: <ADDOMAIN\username>. The authentication
server did not respond to authentication requests in a timely fashion.

- In the AD domain, the Everyone group is a member of the Pre-Windows 2000
Compatible group.
- I have set up trusts in both directions between the domains, and have
verified that the trusts are functioning properly.
- The VPN server is configured to use Windows authentication, not RADIUS.
- Accounts in the NT4 domain are still able to authenticate. Accounts that
are able to authenticate to the VPN when they are in the NT4 domain lose
access when they are migrated to the AD domain, so that pretty much rules out
any issues with a mismatch in authentication protocols or configuration on
the user account’s Dial-In tab (although I did verify that dial-in access is
still allowed in the account properties after the migration).
- When the account is migrated, the user profile is also migrated, so the
configuration of the VPN connection must be correct (it was working when the
account was in the NT4 domain).
- The connection protocol is PPTP.
- Before anyone says anything about adding the ISA/VPN server’s account to
the RAS and ISA Servers group in the AD domain, remember that it’s the *user*
that is in the AD domain, whereas the server is in the NT4 domain (and
therefore cannot be added to a Domain Local group in the AD domain).

Based on what I’ve read, my configuration – an AD user connecting to a VPN
server in an NT4 domain using pass-through authentication – should work fine
as long as the Everyone group is in the Pre-Windows 2000 Compatible group in
the AD domain. What am I missing?

 

[Robert L [MS-MVP]]

re-configure the RRAS may fix the problem. or check this troubleshooting tips,

VPN error code
Receiving VPN error 619 while connecting to a VPN via SBC ... VPN Error 930 -
The authentication server did not respond to authentication requests in a ...
www.chicagotech.net/vpnerrors.htm

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
I have a Windows 2000 VPN server (running ISA 2000) that is a member of a
Windows NT 4.0 domain. I have set up a Windows 2003 Active Directory domain,
running in Native Mode, and I am testing migrating the Windows NT 4.0
accounts to the new domain. The problem is that when I migrate accounts
(with the ADMT) from NT4 to AD, those accounts can no longer be authenticated
by the VPN server. When I try to connect from the client, I receive the
following error:

Verifying username and password...
Error 930: The authentication server did not respond to authentication
request in a timely fashion.

On the VPN server, the following event is logged:

Event ID: 20073
Source: RemoteAccess
Description: The following error occurred in the Point to Point Protocol
module on port: VPN<##>, UserName: <ADDOMAIN\username>. The authentication
server did not respond to authentication requests in a timely fashion.

- In the AD domain, the Everyone group is a member of the Pre-Windows 2000
Compatible group.
- I have set up trusts in both directions between the domains, and have
verified that the trusts are functioning properly.
- The VPN server is configured to use Windows authentication, not RADIUS.
- Accounts in the NT4 domain are still able to authenticate. Accounts that
are able to authenticate to the VPN when they are in the NT4 domain lose
access when they are migrated to the AD domain, so that pretty much rules out
any issues with a mismatch in authentication protocols or configuration on
the user account’s Dial-In tab (although I did verify that dial-in access is
still allowed in the account properties after the migration).
- When the account is migrated, the user profile is also migrated, so the
configuration of the VPN connection must be correct (it was working when the
account was in the NT4 domain).
- The connection protocol is PPTP.
- Before anyone says anything about adding the ISA/VPN server’s account to
the RAS and ISA Servers group in the AD domain, remember that it’s the *user*
that is in the AD domain, whereas the server is in the NT4 domain (and
therefore cannot be added to a Domain Local group in the AD domain).

Based on what I’ve read, my configuration – an AD user connecting to a VPN
server in an NT4 domain using pass-through authentication – should work fine
as long as the Everyone group is in the Pre-Windows 2000 Compatible group in
the AD domain. What am I missing?

 

[Guest]

Believe me, I've searched the MS KB and googled this error up and down, and
I've seen all the basic stuff. The suggestion made in the troubleshooting
tip you linked to is exactly what I was referring to in my last bullet point
- since the server is not in the AD domain, you can't add it to the AD
domain's RAS and IAS Servers group, which is a Domain Local group. Also,
there's really no reason why it would need to be in this group, since it's
not in the AD domain in the first place – it should authenticate AD accounts
using pass-through authentication, not by contacting the AD domain
controllers directly.

You're suggesting reconfiguring RRAS, but remember that RRAS is *not*
broken. NT4 accounts can still authenticate, and the server is currently
running, *in production*. The only thing that isn't working is that accounts
that are migrated to AD can no longer authenticate, even though the profile
has been migrated, and their VPN connection properties have not changed (yes,
I verified that my test accounts could connect to the VPN before migrating
them).

Furthermore, we actually have *two* ISA VPN servers (with VPNs configured
identically). They're both authenticating NT4 domain accounts, and they're
both rejecting AD domain accounts in exactly the same way, so that pretty
much rules out a server malfunction.