VPN Not authenticating

J

Jeff

I have set up a VPN connection to our network. The VPN
server sits on an ISA server and is not a domain
controller. If I VPN in with my user name and password and
our domain name I can connect with no problem (I am a
domain admin). I can see our internal network and access
all resources. I added another domain user to the VPN
group I set up (i have given this group access permisions
on the RAS server, right now this group is the only policy
I have) but when this user tries to authenicate it gives
me a 649 - You do not have dial-in permission. If I set
this user up as a local user on the VPN server and VPN in,
I can connect, but cannot access any domain resources
because I have to use the vpn server name as the logon
domain. There is no Dialin tab in Active directory User
and Computers and I am controlling access by group policy.
The only thing I can possible see, is that my user name is
admin and on the VPN server there is a local user named
admin with administrator priviligies but again this is on
the local machine and I am able to logon and authenticate
on the domain.
Any ideas
Thanks,
Jeff
 
B

Bill Grant

Your VPN server is not a domain controller, but is it a domain member?

If it is a standalone server, you will have to authenticate to its own
local SAM database. If it is a domain member, you can join it the the Domain
IAS and RAS Server group, and you can then authenticate to AD. The RRAS
server passes the authentication on to a DC (rather like RADIUS does to a
RADIUS server).
 
J

Jeff

It is a member of the IAS and RAS group.

-----Original Message-----
Your VPN server is not a domain controller, but is it a domain member?

If it is a standalone server, you will have to authenticate to its own
local SAM database. If it is a domain member, you can join it the the Domain
IAS and RAS Server group, and you can then authenticate to AD. The RRAS
server passes the authentication on to a DC (rather like RADIUS does to a
RADIUS server).




.
Click to expand...
 
B

Bill Grant

If you are authenticating to AD, the user will be granted or denied access
according to the remote access policy. To allow access based on membership
of a particular group, you need to add a new remote access policy (or modify
an existing policy) to allow access based on group membership. ie add the
condition <Windows-Groups matches "Group Name"> and select the "Grant
remote access permission" radio button.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

VPN server without domain controller 0
Problem connecting OSX and Vista Clients to Win2k3 L2TP VPN Server 0
VPN permissions question 1
Can't ping VPN clients from LAN 1
Win2K3 domain account connecting to Win2K VPN server in an NT4 dom 2
vpn for dummies 2
VPN slows down local browsing 1
Windows 2003 AD Native and VPN 2

Top