KarmakIT
asked on
Windows 98 Gets Error 649: No Dial in Permission when using RAS into Windows 2003 Server running RRAS using IAS for Radius Authentication
We have recently upgraded our RAS server from Windows 2000 to Windows 2003. Since then, Windows 98 clients trying to dial in get Error:649 You do not have dial in permission. Windows XP computers(the same user) can get in just fine.
We have an NT4 domain server and in User Manger for Domains - the user has dial in permission. We use IAS for our Radius server - this was recently setup by another member of IT.
On the Windows 2003 RAS server - I see the error:
Event ID: 20078
The account connected on com port 3 does not have Remote Access Priviledge. The line has been disconnected.
We have an NT4 domain server and in User Manger for Domains - the user has dial in permission. We use IAS for our Radius server - this was recently setup by another member of IT.
On the Windows 2003 RAS server - I see the error:
Event ID: 20078
The account connected on com port 3 does not have Remote Access Priviledge. The line has been disconnected.
Check your remote access policies in RRAS on your 2003 server. Obtain the properties of the policy (or policies) and click EDIT. You can [and probably have] set up rules regarding remote access.
Even if your user has "allow remote access" checked off, your RRAS server policy has to also allow the user in. Perhaps there's a rule in place on RRAS that is keeping the Win98 client out.
-z-
Even if your user has "allow remote access" checked off, your RRAS server policy has to also allow the user in. Perhaps there's a rule in place on RRAS that is keeping the Win98 client out.
-z-
Also from Microsoft:
When a Microsoft Windows 2000 Server is configured as a Point-to-Point Tunneling Protocol (PPTP) server and PPTP clients from either Microsoft Windows NT, Windows 2000, or Windows 95 or 98 try to establish a PPTP session, they receive the following error message:
Error 649
Login failed: username, password, or domain was incorrect.
The Windows 2000 PPTP Server logs the following error message:
Event ID 20078
The account for user \username connected on port VPN3-127 does not have Remote Access privilege. The line has been disconnected.
Event ID 20189
The user Administrator connected from x.x.x.x but failed an authentication attempt due to the following reason: The user tried to connect using an unauthorized dial-in media.
Back to the top
MORE INFORMATION
To resolve this behavior, follow these steps: 1. Start the Routing and Remote Access administrative tool.
2. Expand the options under your Remote Access Service (RAS) server's name.
3. Click Remote Access Policies, and then right-click and go to Properties on the default policy called Allow access if dial-in permission is enabled.
4. Click Edit Profile.
5. On the Dial-in Constraints tab, do one of the following:
• Clear the Restrict Dial-in Media option.
-or-
• Select Restrict Dial-in Media, and then select Ethernet and VPN from the list of options available.
6. Click Apply, and then click OK.
When a Microsoft Windows 2000 Server is configured as a Point-to-Point Tunneling Protocol (PPTP) server and PPTP clients from either Microsoft Windows NT, Windows 2000, or Windows 95 or 98 try to establish a PPTP session, they receive the following error message:
Error 649
Login failed: username, password, or domain was incorrect.
The Windows 2000 PPTP Server logs the following error message:
Event ID 20078
The account for user \username connected on port VPN3-127 does not have Remote Access privilege. The line has been disconnected.
Event ID 20189
The user Administrator connected from x.x.x.x but failed an authentication attempt due to the following reason: The user tried to connect using an unauthorized dial-in media.
Back to the top
MORE INFORMATION
To resolve this behavior, follow these steps: 1. Start the Routing and Remote Access administrative tool.
2. Expand the options under your Remote Access Service (RAS) server's name.
3. Click Remote Access Policies, and then right-click and go to Properties on the default policy called Allow access if dial-in permission is enabled.
4. Click Edit Profile.
5. On the Dial-in Constraints tab, do one of the following:
• Clear the Restrict Dial-in Media option.
-or-
• Select Restrict Dial-in Media, and then select Ethernet and VPN from the list of options available.
6. Click Apply, and then click OK.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Everything looked ok on the Remote Access Policies on our Microsoft Radius server (which is where it is instead of RRAS). Also, not we have a NT4 domain instead of AD - we are updating in about a month finally. Kept digging and found that Windows 98 SE and Windows ME could dial in ok - problem was limited to Windows 98 first edition. I remembered a Windows DUN update from 3 years ago and went looking again and found it. The DUN 1.4 update fixed it! The KB is 285189 and the link is http://support.microsoft.com/default.aspx?scid=kb;en-us;285189.
Thanks for everyone's help!
Thanks for everyone's help!
Thanks. I do recall the DUN updates from (what seems) a long time ago.
-z-
-z-
This behavior can occur if the user name is the same as the domain name. A change was made to the Windows NT 4.0 Service Pack 4 version of the Rassapi.dll file that prevents a user with the same name as the domain from being validated properly.