RRAS wont authenticate VPN users


C

craig

Hi there,

I am trying to setup a dial-up PPTP VPN connectionn from a XP client to a
2003 server.
The VPN only has to get to the server as there is no inside LAN - therefore
I am using only one NIC.
There is no firewall involved at the moment and the server is connected
directly to the internet through a Conexant Hasbani DSL router - I have
opened port 1723 and mapped it to the internal IP address [& port 1723] I am
using for the server.

I have followed the instructions in 2003 help and have double checked the
access policy, user rights, and RRAS configurations.
The error I get in the event log on the server tells me that "The user has
connected and failed to authenticate on port VPN3-127. The line has been
disconnected."
The error at the client end is "error 691: Access was denied because the
user name and password was not valid on the domain"

I have try changing the authentication protocols, i.e. from ms-chap v2 to
EAP and back again, and made sure the changes were reflected in the server
settings, the access policy and the client configuration - to no avail.

The server is not using Active Directory or IAS and clients have no problem
using Terminal Services or FTP with their accounts.
I'm stumped.any help would be appreciated.

thanks all.
 
Ad

Advertisements

W

Wajihy [MSFT]

can you send us the trace logs:

configure the server for mschapv2
enable tracing: run " netsh ras set tr * en"
repro then post iassam log file from %windir%\tracing folder

thanks

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081
 
C

craig

thanks for the quick reply.

the log file is as follows:


[884] 09-15 12:08:11:248: NT-SAM Names handler received request with user
identity test.
[884] 09-15 12:08:11:248: Prepending default domain.
[884] 09-15 12:08:11:248: NameMapper::prependDefaultDomain
[884] 09-15 12:08:11:248: SAM-Account-Name is "BLADE\test".
[884] 09-15 12:08:11:248: NT-SAM Authentication handler received request for
BLADE\test.
[884] 09-15 12:08:11:248: Processing MS-CHAP v2 authentication.
[884] 09-15 12:08:11:258: LogonUser succeeded.
[884] 09-15 12:08:11:258: NT-SAM User Authorization handler received request
for BLADE\test.
[884] 09-15 12:08:11:258: Using NT5 local user parameters.
[884] 09-15 12:08:11:258: Using cached SAM connection to local account
domain.
[884] 09-15 12:08:11:258: Inserting attribute msNPAllowDialin.
[884] 09-15 12:08:11:258: Successfully retrieved per-user attributes.

seems odd that the log states user login sucessful yet the client still gets
the 691 error??



Wajihy said:
can you send us the trace logs:

configure the server for mschapv2
enable tracing: run " netsh ras set tr * en"
repro then post iassam log file from %windir%\tracing folder

thanks

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

craig said:
Hi there,

I am trying to setup a dial-up PPTP VPN connectionn from a XP client to a
2003 server.
The VPN only has to get to the server as there is no inside LAN - therefore
I am using only one NIC.
There is no firewall involved at the moment and the server is connected
directly to the internet through a Conexant Hasbani DSL router - I have
opened port 1723 and mapped it to the internal IP address [& port 1723]
I
am
using for the server.

I have followed the instructions in 2003 help and have double checked the
access policy, user rights, and RRAS configurations.
The error I get in the event log on the server tells me that "The user has
connected and failed to authenticate on port VPN3-127. The line has been
disconnected."
The error at the client end is "error 691: Access was denied because the
user name and password was not valid on the domain"

I have try changing the authentication protocols, i.e. from ms-chap v2 to
EAP and back again, and made sure the changes were reflected in the server
settings, the access policy and the client configuration - to no avail.

The server is not using Active Directory or IAS and clients have no problem
using Terminal Services or FTP with their accounts.
I'm stumped.any help would be appreciated.

thanks all.
 
W

Wajihy [MSFT]

the authentication phase is working I think this might be an issue eiother
with the open ports ( you did not open the GRE 47 port)

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

craig said:
thanks for the quick reply.

the log file is as follows:


[884] 09-15 12:08:11:248: NT-SAM Names handler received request with user
identity test.
[884] 09-15 12:08:11:248: Prepending default domain.
[884] 09-15 12:08:11:248: NameMapper::prependDefaultDomain
[884] 09-15 12:08:11:248: SAM-Account-Name is "BLADE\test".
[884] 09-15 12:08:11:248: NT-SAM Authentication handler received request for
BLADE\test.
[884] 09-15 12:08:11:248: Processing MS-CHAP v2 authentication.
[884] 09-15 12:08:11:258: LogonUser succeeded.
[884] 09-15 12:08:11:258: NT-SAM User Authorization handler received request
for BLADE\test.
[884] 09-15 12:08:11:258: Using NT5 local user parameters.
[884] 09-15 12:08:11:258: Using cached SAM connection to local account
domain.
[884] 09-15 12:08:11:258: Inserting attribute msNPAllowDialin.
[884] 09-15 12:08:11:258: Successfully retrieved per-user attributes.

seems odd that the log states user login sucessful yet the client still gets
the 691 error??



Wajihy said:
can you send us the trace logs:

configure the server for mschapv2
enable tracing: run " netsh ras set tr * en"
repro then post iassam log file from %windir%\tracing folder

thanks

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081
to
a
2003 server.
The VPN only has to get to the server as there is no inside LAN - therefore
I am using only one NIC.
There is no firewall involved at the moment and the server is connected
directly to the internet through a Conexant Hasbani DSL router - I have
opened port 1723 and mapped it to the internal IP address [& port
1723]
 
C

craig

right, I've come across the GRE 47 port issue in the past couple of days. As
of yet i am unsure
whether the Lectron Conexant ADSL router actually supports it,
as the only settings for protocols are TCP and UDP ports - & my
understanding so
far is that GRE 47 is neither of these protocols. I have searched the
Lectron site on the above mentioned
router details & there is no mention of GRE 47 - i am assuming [perhaps
wrongly] that GRE 47 is part
of the many RFCs they have mentioned that the router supports - i have
kindly emailed them.

I'm also thinking that perhaps i should try a L2TP VPN & see if that makes a
difference - my undersatanding of that so far
is that i would just have to open the L2TP ports and close the PPTP ports in
the RRAS settings???


Wajihy said:
the authentication phase is working I think this might be an issue eiother
with the open ports ( you did not open the GRE 47 port)

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

craig said:
thanks for the quick reply.

the log file is as follows:


[884] 09-15 12:08:11:248: NT-SAM Names handler received request with user
identity test.
[884] 09-15 12:08:11:248: Prepending default domain.
[884] 09-15 12:08:11:248: NameMapper::prependDefaultDomain
[884] 09-15 12:08:11:248: SAM-Account-Name is "BLADE\test".
[884] 09-15 12:08:11:248: NT-SAM Authentication handler received request for
BLADE\test.
[884] 09-15 12:08:11:248: Processing MS-CHAP v2 authentication.
[884] 09-15 12:08:11:258: LogonUser succeeded.
[884] 09-15 12:08:11:258: NT-SAM User Authorization handler received request
for BLADE\test.
[884] 09-15 12:08:11:258: Using NT5 local user parameters.
[884] 09-15 12:08:11:258: Using cached SAM connection to local account
domain.
[884] 09-15 12:08:11:258: Inserting attribute msNPAllowDialin.
[884] 09-15 12:08:11:258: Successfully retrieved per-user attributes.

seems odd that the log states user login sucessful yet the client still gets
the 691 error??



Wajihy said:
can you send us the trace logs:

configure the server for mschapv2
enable tracing: run " netsh ras set tr * en"
repro then post iassam log file from %windir%\tracing folder

thanks

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

Hi there,

I am trying to setup a dial-up PPTP VPN connectionn from a XP client
to
a
2003 server.
The VPN only has to get to the server as there is no inside LAN -
therefore
I am using only one NIC.
There is no firewall involved at the moment and the server is connected
directly to the internet through a Conexant Hasbani DSL router - I have
opened port 1723 and mapped it to the internal IP address [& port
1723]
I
am
using for the server.

I have followed the instructions in 2003 help and have double
checked
the
access policy, user rights, and RRAS configurations.
The error I get in the event log on the server tells me that "The
user
has
connected and failed to authenticate on port VPN3-127. The line has been
disconnected."
The error at the client end is "error 691: Access was denied because the
user name and password was not valid on the domain"

I have try changing the authentication protocols, i.e. from ms-chap
v2
to
EAP and back again, and made sure the changes were reflected in the server
settings, the access policy and the client configuration - to no avail.

The server is not using Active Directory or IAS and clients have no
problem
using Terminal Services or FTP with their accounts.
I'm stumped.any help would be appreciated.

thanks all.
 
B

Bill Grant

L2TP is much more complicated that PPTP - I wouldn't attempt it unless
you are very familiar with IPSec and certificates.

And you may still have the same sorts of problems. As well as the ports
required, L2TP requires ESP for packet delivery (instead of GRE which PPTP
uses).

Does your router mention PPTP pass-through or VPN pass-through? Some
router manufacturers use these terms to indicate allowing GRE.

craig said:
right, I've come across the GRE 47 port issue in the past couple of days. As
of yet i am unsure
whether the Lectron Conexant ADSL router actually supports it,
as the only settings for protocols are TCP and UDP ports - & my
understanding so
far is that GRE 47 is neither of these protocols. I have searched the
Lectron site on the above mentioned
router details & there is no mention of GRE 47 - i am assuming [perhaps
wrongly] that GRE 47 is part
of the many RFCs they have mentioned that the router supports - i have
kindly emailed them.

I'm also thinking that perhaps i should try a L2TP VPN & see if that makes a
difference - my undersatanding of that so far
is that i would just have to open the L2TP ports and close the PPTP ports in
the RRAS settings???


Wajihy said:
the authentication phase is working I think this might be an issue eiother
with the open ports ( you did not open the GRE 47 port)

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

craig said:
thanks for the quick reply.

the log file is as follows:


[884] 09-15 12:08:11:248: NT-SAM Names handler received request with user
identity test.
[884] 09-15 12:08:11:248: Prepending default domain.
[884] 09-15 12:08:11:248: NameMapper::prependDefaultDomain
[884] 09-15 12:08:11:248: SAM-Account-Name is "BLADE\test".
[884] 09-15 12:08:11:248: NT-SAM Authentication handler received
request
for
BLADE\test.
[884] 09-15 12:08:11:248: Processing MS-CHAP v2 authentication.
[884] 09-15 12:08:11:258: LogonUser succeeded.
[884] 09-15 12:08:11:258: NT-SAM User Authorization handler received request
for BLADE\test.
[884] 09-15 12:08:11:258: Using NT5 local user parameters.
[884] 09-15 12:08:11:258: Using cached SAM connection to local account
domain.
[884] 09-15 12:08:11:258: Inserting attribute msNPAllowDialin.
[884] 09-15 12:08:11:258: Successfully retrieved per-user attributes.

seems odd that the log states user login sucessful yet the client
still
gets
the 691 error??



can you send us the trace logs:

configure the server for mschapv2
enable tracing: run " netsh ras set tr * en"
repro then post iassam log file from %windir%\tracing folder

thanks

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication
using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

Hi there,

I am trying to setup a dial-up PPTP VPN connectionn from a XP
client
to
a
2003 server.
The VPN only has to get to the server as there is no inside LAN -
therefore
I am using only one NIC.
There is no firewall involved at the moment and the server is connected
directly to the internet through a Conexant Hasbani DSL router - I have
opened port 1723 and mapped it to the internal IP address [& port 1723]
I
am
using for the server.

I have followed the instructions in 2003 help and have double checked
the
access policy, user rights, and RRAS configurations.
The error I get in the event log on the server tells me that "The user
has
connected and failed to authenticate on port VPN3-127. The line
has
been
disconnected."
The error at the client end is "error 691: Access was denied
because
the
user name and password was not valid on the domain"

I have try changing the authentication protocols, i.e. from
ms-chap
 
Ad

Advertisements

C

craig

oh, ok thanks for that advice - i'll keep trying with the PPTP.
No, the router does not appear to have any mention of PPTP pass-through or
VPN pass-through,
i have searched throughly for settings such as those and not found anything.

still stumped!! but still smiling.

Bill Grant said:
L2TP is much more complicated that PPTP - I wouldn't attempt it unless
you are very familiar with IPSec and certificates.

And you may still have the same sorts of problems. As well as the ports
required, L2TP requires ESP for packet delivery (instead of GRE which PPTP
uses).

Does your router mention PPTP pass-through or VPN pass-through? Some
router manufacturers use these terms to indicate allowing GRE.

craig said:
right, I've come across the GRE 47 port issue in the past couple of
days.
As
of yet i am unsure
whether the Lectron Conexant ADSL router actually supports it,
as the only settings for protocols are TCP and UDP ports - & my
understanding so
far is that GRE 47 is neither of these protocols. I have searched the
Lectron site on the above mentioned
router details & there is no mention of GRE 47 - i am assuming [perhaps
wrongly] that GRE 47 is part
of the many RFCs they have mentioned that the router supports - i have
kindly emailed them.

I'm also thinking that perhaps i should try a L2TP VPN & see if that
makes
a
difference - my undersatanding of that so far
is that i would just have to open the L2TP ports and close the PPTP
ports
in
the RRAS settings???


Wajihy said:
the authentication phase is working I think this might be an issue eiother
with the open ports ( you did not open the GRE 47 port)

--

This posting is provided "AS IS", with NO warranties and confers NO rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

thanks for the quick reply.

the log file is as follows:


[884] 09-15 12:08:11:248: NT-SAM Names handler received request with user
identity test.
[884] 09-15 12:08:11:248: Prepending default domain.
[884] 09-15 12:08:11:248: NameMapper::prependDefaultDomain
[884] 09-15 12:08:11:248: SAM-Account-Name is "BLADE\test".
[884] 09-15 12:08:11:248: NT-SAM Authentication handler received request
for
BLADE\test.
[884] 09-15 12:08:11:248: Processing MS-CHAP v2 authentication.
[884] 09-15 12:08:11:258: LogonUser succeeded.
[884] 09-15 12:08:11:258: NT-SAM User Authorization handler received
request
for BLADE\test.
[884] 09-15 12:08:11:258: Using NT5 local user parameters.
[884] 09-15 12:08:11:258: Using cached SAM connection to local account
domain.
[884] 09-15 12:08:11:258: Inserting attribute msNPAllowDialin.
[884] 09-15 12:08:11:258: Successfully retrieved per-user attributes.

seems odd that the log states user login sucessful yet the client still
gets
the 691 error??



can you send us the trace logs:

configure the server for mschapv2
enable tracing: run " netsh ras set tr * en"
repro then post iassam log file from %windir%\tracing folder

thanks

--

This posting is provided "AS IS", with NO warranties and confers NO
rights

Upcoming Event: Tech Chat about "Secure Wireless authentication using
IAS,
PEAP and EAP"
on September 25th at 10AM PT
http://communities2.microsoft.com/home/chatroom.aspx?siteid=34000081

Hi there,

I am trying to setup a dial-up PPTP VPN connectionn from a XP client
to
a
2003 server.
The VPN only has to get to the server as there is no inside AN -
therefore
I am using only one NIC.
There is no firewall involved at the moment and the server is
connected
directly to the internet through a Conexant Hasbani DSL router - I
have
opened port 1723 and mapped it to the internal IP address [& port
1723]
I
am
using for the server.

I have followed the instructions in 2003 help and have double checked
the
access policy, user rights, and RRAS configurations.
The error I get in the event log on the server tells me that
"The
user
has
connected and failed to authenticate on port VPN3-127. The line has
been
disconnected."
The error at the client end is "error 691: Access was denied because
the
user name and password was not valid on the domain"

I have try changing the authentication protocols, i.e. from
ms-chap
v2
to
EAP and back again, and made sure the changes were reflected in the
server
settings, the access policy and the client configuration - to no
avail.

The server is not using Active Directory or IAS and clients have no
problem
using Terminal Services or FTP with their accounts.
I'm stumped.any help would be appreciated.

thanks all.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top