Windows 98 Gets Error 649: No Dial in Permission when using RAS into Windows 2003 Server running RRAS using IAS for Radius Authentication

We have recently upgraded our RAS server from Windows 2000 to Windows 2003. Since then, Windows 98 clients trying to dial in get Error:649 You do not have dial in permission. Windows XP computers(the same user) can get in just fine.

We have an NT4 domain server and in User Manger for Domains - the user has dial in permission.  We use IAS for our Radius server - this was recently setup by another member of IT.  

On the Windows 2003 RAS server - I see the error:
Event ID: 20078
The account connected on com port 3 does not have Remote Access Priviledge. The line has been disconnected.

Who is Participating?
sciwriterConnect With a Mentor Commented:
Well, MS is doing the double-dance on this one.  It is one of the greatest problems with 2003 server -- the dropping of 98 and NT support, and you can believe, by Gates, it was intentionally deliberate.  They simply don't want to support NT4 and 98 any more, costs them too much "money", and just think how much more "money" they can make, if they force you to upgrade those NT4 servers and 98 clients to 2003 and XP.  It is calculated marketing ploy, in fact, I know that for a fact, MS has even admitted it.

So, how to fix it?  The classic MS solution?  Everything that was going through the NT4 server for logins now needs to be done through the 2003 server -- that is the root of the problem.  OK, that dispenses with the NT4 server, another 2003 license sold, more "money".  Now the 98 WSs need fixing too, because as members of the NT4 domain, they have typical 98-NT protocols installed.  This one is a little easier to solve.  You can set the 98 systems to get a RAS privilege login directly to the 2003 server, as long as they are running MS Client, TCP/IP, and are listed in the AD registry, or have valid login accounts.  So they can be fixed, but the 98 login through the NT4, then going to 2003 cannot.  You have to break that chain.
From Microsoft:
This behavior can occur if the user name is the same as the domain name. A change was made to the Windows NT 4.0 Service Pack 4 version of the Rassapi.dll file that prevents a user with the same name as the domain from being validated properly.

Check your remote access policies in RRAS on your 2003 server.  Obtain the properties of the policy (or policies) and click EDIT.  You can [and probably have] set up rules regarding remote access.

Even if your user has "allow remote access" checked off, your RRAS server policy has to also allow the user in.  Perhaps there's a rule in place on RRAS that is keeping the Win98 client out.

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Also from Microsoft:
When a Microsoft Windows 2000 Server is configured as a Point-to-Point Tunneling Protocol (PPTP) server and PPTP clients from either Microsoft Windows NT, Windows 2000, or Windows 95 or 98 try to establish a PPTP session, they receive the following error message:
Error 649
Login failed: username, password, or domain was incorrect.
The Windows 2000 PPTP Server logs the following error message:
Event ID 20078
The account for user \username connected on port VPN3-127 does not have Remote Access privilege. The line has been disconnected.

Event ID 20189
The user Administrator connected from x.x.x.x but failed an authentication attempt due to the following reason: The user tried to connect using an unauthorized dial-in media.

 Back to the top

To resolve this behavior, follow these steps: 1. Start the Routing and Remote Access administrative tool.
2. Expand the options under your Remote Access Service (RAS) server's name.
3. Click Remote Access Policies, and then right-click and go to Properties on the default policy called Allow access if dial-in permission is enabled.
4. Click Edit Profile.
5. On the Dial-in Constraints tab, do one of the following:

• Clear the Restrict Dial-in Media option.

• Select Restrict Dial-in Media, and then select Ethernet and VPN from the list of options available.
6. Click Apply, and then click OK.
KarmakITAuthor Commented:
Everything looked ok on the Remote Access Policies on our Microsoft Radius server (which is where it is instead of RRAS). Also, not we have a NT4 domain instead of AD - we are updating in about a month finally. Kept digging and found that Windows 98 SE and Windows ME could dial in ok - problem was limited to Windows 98 first edition. I remembered a Windows DUN update from 3 years ago and went looking again and found it. The DUN 1.4 update fixed it!  The KB is 285189 and the link is;en-us;285189.

Thanks for everyone's help!
Thanks.  I do recall the DUN updates from (what seems) a long time ago.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.