VPN Verifying Username and Password

[robertm]

Here is the Setup:

Corporate Network:

Internet
|
|
Router/Firewall (Symantec 360R)
|
|
Windows 2003 RRAS VPN.

Internally the VPN works just fine. Externally it works for about half
of my users, the other half can not connect. When they connect, the VPN
connects and then hangs on "Verifying username and password".

This started happening about two weeks ago. Prior to that everyone was
able to VPN in with no problems. There were no changes to the network
this just started happening out of the blue. Any suggestions are
welcome.

 

[TP]

Same problem here..
Nothing in our network setup has changeed.. the only thing that we've
been able to figure out is that if the client system is par tof the
domain.. it no longer works. It's like GRE is not longer leaving the
client system anymore (at least that is what our sniffer is showing.)

Two side by side traces of systems that work and ones that do not work
are showing the same thing. the GRE poriton of the PPTP setup is no
longer being iniated form the client.

any ideas anyone? Security update issue?

 

[robertm]

I was just able to fix this problem on our network.

The problem three fold.

1: Windows Security via Group Policy (for domains only)

"This problem may occur if certain Administrative Templates from the
Windows XP Security Guide were applied to the computer before Windows
XP SP2 was installed. The problem occurs because of a problem in some
of the security templates that were published as part of the Windows XP
Security Guide.

In Windows XP SP2, remote procedure call (RPC) runs using the NT
Authority\NetworkService account. The default security descriptor for
services in Windows XP SP2 gives Read access to the Authenticated Users
group, which includes the NT Authority\NetworkService account. "

Fix: http://support.microsoft.com/kb/892199/en-us

2(caused by problem 1): If the Windows firewall is turned on make sure
port 1723 is open. If it is off then start the firewall. If you cannot
start the firewall refer to
http://support.microsoft.com/kb/892199/en-us


3: Even if the firewall is off the firewall service in XP needs to be
running. The firewall server is what provides the GRE Encapsulation. So
if the firewall service is off then you can connect to the VPN server
but you can't talk with it.

GRE reference: http://support.microsoft.com/kb/241251/

4(applys to bullet point 3): Because of the way PPTP is written you can
only connect client to PPTP server directly not through a
router/firewall. That is where GRE comes in. It allows multiple IP
addresses to a single interface.

Bottom line:

If you are on a domain. Make sure that the Windows Firewall/ICF Service
is up and running. Make sure that ports 1723 on ALL firewalls is open
in both directions. Then make sure the user account is authorized by
RRAS Policy to connect remotely.

That should fix the VPN Problem.

Footnote:

To make sure this problem stayed fixed for remote users I had to create
a script to reset the Security Descriptor for ICF (window sfirewall
server SharedAccess), and place it in thier startup folder so that when
they perform a cold boot detached from a DC they can still run the
script, and start ICF.

-Good Luck!
Robert

 

[TP]

You are a godsend!! This worked!!

I never would have tought that the windows firewall service provides
the GRE Encapsulation for the laptop. We were getting quite the flack
from our users on this.

(Now I have to find out why the windows firewall service broke...)

 

[TP]

I'm confused..

My home PC has Windows firewall service DISABLED and not running,yet I
can still connect to our VPN via PPTP. Why would this be?

 

[TP]

Ok.. I've narrowed down the problem.. The windows firewall service
does not need ot be running for GRE; the Security class needs to be
fixed. Resetting the class (methode 1 in
http://support.microsoft.com/kb/892199/en-us) resolved the problem.

 

[TP]

Here is what has fixed the problem for all of our systems:
1) Apply security class fix as described in methode 1 in
http://support.microsoft.com/kb/892199/en-us
2) Start and stop the windows firewall service. It must 'tickle'
something, because without this step the above does not work.

Hope this helps some folks with this one.. it caused us a lot of grief
for about 2 weeks...