VPN RRAS and ISA problem



Any advice would be appreciated.with this issue.

I am trying to setup VPN Server on my ISA standalone version box to grant
clients using PPTP, and get Event ID 20189.

The user <domain\user> connected from <ip address> but failed an
authentication attempt due to the following reason: <error description> .
The only reference is can find is Q26640 but i dont have any
Dial-In-Contraints set.in the RRAS policy.
I know the user name and password are correct , its my account im trying to
log in under. I know its recognising my account because it locks the account
after 6 attempts re Group Policy. Plus the usual events 529 681 for bad
username and password.etc

My perimeter consists of

ADSL Internet Router/Firewall
Hardware Firewall
DMZ Segment 17.16.x.x
| (Testing client here in DMZ)
ISA Server patched up to date

ISA External Interface -
ISA Internal Interface -

Anyway im trying to troubleshoot this by connecting the client in the DMZ
segment with an IP of gateway, and using PPTP as a
convenience to troubleshoot.
RRAS Policy has PPTP Ports with Dial-In-only selected, Address allocation is
done by a static pool.
Also the ISA server though a member server is a member of the IAS security
group, though im using Windows Authentication..
RRAS Logging generates messages with every attempt in the RRAS logs as well,
so it appears access through ISA isnt the problem.
Oh also i have AD Users and Comp Dial in setting to allow Policy to define
dial in access
The client is XP SP1

Any help would be appreciated this almost seems like a bug.

Mike Hartnett MCSE

Michael Johnston [MSFT]

Verify that the Everyone group is listed in the "Access this computer from the network" policy on the DC as well as the VPN

Thank you,
Mike Johnston
Microsoft Network Support

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the
terms specified at

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from
which they originated.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question