Windows 98 Gets Error 649: No Dial in Permission when using RAS into Windows 2003 Server running RRAS using IAS for Radius Authentication

Posted on 2005-04-08
Medium Priority
Last Modified: 2008-01-09
We have recently upgraded our RAS server from Windows 2000 to Windows 2003. Since then, Windows 98 clients trying to dial in get Error:649 You do not have dial in permission. Windows XP computers(the same user) can get in just fine.

We have an NT4 domain server and in User Manger for Domains - the user has dial in permission.  We use IAS for our Radius server - this was recently setup by another member of IT.  

On the Windows 2003 RAS server - I see the error:
Event ID: 20078
The account connected on com port 3 does not have Remote Access Priviledge. The line has been disconnected.

Question by:KarmakIT

Expert Comment

ID: 13740773
From Microsoft:
This behavior can occur if the user name is the same as the domain name. A change was made to the Windows NT 4.0 Service Pack 4 version of the Rassapi.dll file that prevents a user with the same name as the domain from being validated properly.

LVL 15

Expert Comment

ID: 13740802
Check your remote access policies in RRAS on your 2003 server.  Obtain the properties of the policy (or policies) and click EDIT.  You can [and probably have] set up rules regarding remote access.

Even if your user has "allow remote access" checked off, your RRAS server policy has to also allow the user in.  Perhaps there's a rule in place on RRAS that is keeping the Win98 client out.


Expert Comment

ID: 13740807
Also from Microsoft:
When a Microsoft Windows 2000 Server is configured as a Point-to-Point Tunneling Protocol (PPTP) server and PPTP clients from either Microsoft Windows NT, Windows 2000, or Windows 95 or 98 try to establish a PPTP session, they receive the following error message:
Error 649
Login failed: username, password, or domain was incorrect.
The Windows 2000 PPTP Server logs the following error message:
Event ID 20078
The account for user \username connected on port VPN3-127 does not have Remote Access privilege. The line has been disconnected.

Event ID 20189
The user Administrator connected from x.x.x.x but failed an authentication attempt due to the following reason: The user tried to connect using an unauthorized dial-in media.

 Back to the top

To resolve this behavior, follow these steps: 1. Start the Routing and Remote Access administrative tool.
2. Expand the options under your Remote Access Service (RAS) server's name.
3. Click Remote Access Policies, and then right-click and go to Properties on the default policy called Allow access if dial-in permission is enabled.
4. Click Edit Profile.
5. On the Dial-in Constraints tab, do one of the following:

• Clear the Restrict Dial-in Media option.

• Select Restrict Dial-in Media, and then select Ethernet and VPN from the list of options available.
6. Click Apply, and then click OK.
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

LVL 23

Accepted Solution

sciwriter earned 2000 total points
ID: 13742164
Well, MS is doing the double-dance on this one.  It is one of the greatest problems with 2003 server -- the dropping of 98 and NT support, and you can believe, by Gates, it was intentionally deliberate.  They simply don't want to support NT4 and 98 any more, costs them too much "money", and just think how much more "money" they can make, if they force you to upgrade those NT4 servers and 98 clients to 2003 and XP.  It is calculated marketing ploy, in fact, I know that for a fact, MS has even admitted it.

So, how to fix it?  The classic MS solution?  Everything that was going through the NT4 server for logins now needs to be done through the 2003 server -- that is the root of the problem.  OK, that dispenses with the NT4 server, another 2003 license sold, more "money".  Now the 98 WSs need fixing too, because as members of the NT4 domain, they have typical 98-NT protocols installed.  This one is a little easier to solve.  You can set the 98 systems to get a RAS privilege login directly to the 2003 server, as long as they are running MS Client, TCP/IP, and are listed in the AD registry, or have valid login accounts.  So they can be fixed, but the 98 login through the NT4, then going to 2003 cannot.  You have to break that chain.

Author Comment

ID: 13745187
Everything looked ok on the Remote Access Policies on our Microsoft Radius server (which is where it is instead of RRAS). Also, not we have a NT4 domain instead of AD - we are updating in about a month finally. Kept digging and found that Windows 98 SE and Windows ME could dial in ok - problem was limited to Windows 98 first edition. I remembered a Windows DUN update from 3 years ago and went looking again and found it. The DUN 1.4 update fixed it!  The KB is 285189 and the link is http://support.microsoft.com/default.aspx?scid=kb;en-us;285189.

Thanks for everyone's help!
LVL 15

Expert Comment

ID: 13747993
Thanks.  I do recall the DUN updates from (what seems) a long time ago.


Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question