Windows 98 Gets Error 649: No Dial in Permission when using RAS into Windows 2003 Server running RRAS using IAS for Radius Authentication

Posted on 2005-04-08
Last Modified: 2008-01-09
We have recently upgraded our RAS server from Windows 2000 to Windows 2003. Since then, Windows 98 clients trying to dial in get Error:649 You do not have dial in permission. Windows XP computers(the same user) can get in just fine.

We have an NT4 domain server and in User Manger for Domains - the user has dial in permission.  We use IAS for our Radius server - this was recently setup by another member of IT.  

On the Windows 2003 RAS server - I see the error:
Event ID: 20078
The account connected on com port 3 does not have Remote Access Priviledge. The line has been disconnected.

Question by:KarmakIT
    LVL 3

    Expert Comment

    From Microsoft:
    This behavior can occur if the user name is the same as the domain name. A change was made to the Windows NT 4.0 Service Pack 4 version of the Rassapi.dll file that prevents a user with the same name as the domain from being validated properly.

    LVL 15

    Expert Comment

    Check your remote access policies in RRAS on your 2003 server.  Obtain the properties of the policy (or policies) and click EDIT.  You can [and probably have] set up rules regarding remote access.

    Even if your user has "allow remote access" checked off, your RRAS server policy has to also allow the user in.  Perhaps there's a rule in place on RRAS that is keeping the Win98 client out.

    LVL 3

    Expert Comment

    Also from Microsoft:
    When a Microsoft Windows 2000 Server is configured as a Point-to-Point Tunneling Protocol (PPTP) server and PPTP clients from either Microsoft Windows NT, Windows 2000, or Windows 95 or 98 try to establish a PPTP session, they receive the following error message:
    Error 649
    Login failed: username, password, or domain was incorrect.
    The Windows 2000 PPTP Server logs the following error message:
    Event ID 20078
    The account for user \username connected on port VPN3-127 does not have Remote Access privilege. The line has been disconnected.

    Event ID 20189
    The user Administrator connected from x.x.x.x but failed an authentication attempt due to the following reason: The user tried to connect using an unauthorized dial-in media.

     Back to the top

    To resolve this behavior, follow these steps: 1. Start the Routing and Remote Access administrative tool.
    2. Expand the options under your Remote Access Service (RAS) server's name.
    3. Click Remote Access Policies, and then right-click and go to Properties on the default policy called Allow access if dial-in permission is enabled.
    4. Click Edit Profile.
    5. On the Dial-in Constraints tab, do one of the following:

    • Clear the Restrict Dial-in Media option.

    • Select Restrict Dial-in Media, and then select Ethernet and VPN from the list of options available.
    6. Click Apply, and then click OK.
    LVL 23

    Accepted Solution

    Well, MS is doing the double-dance on this one.  It is one of the greatest problems with 2003 server -- the dropping of 98 and NT support, and you can believe, by Gates, it was intentionally deliberate.  They simply don't want to support NT4 and 98 any more, costs them too much "money", and just think how much more "money" they can make, if they force you to upgrade those NT4 servers and 98 clients to 2003 and XP.  It is calculated marketing ploy, in fact, I know that for a fact, MS has even admitted it.

    So, how to fix it?  The classic MS solution?  Everything that was going through the NT4 server for logins now needs to be done through the 2003 server -- that is the root of the problem.  OK, that dispenses with the NT4 server, another 2003 license sold, more "money".  Now the 98 WSs need fixing too, because as members of the NT4 domain, they have typical 98-NT protocols installed.  This one is a little easier to solve.  You can set the 98 systems to get a RAS privilege login directly to the 2003 server, as long as they are running MS Client, TCP/IP, and are listed in the AD registry, or have valid login accounts.  So they can be fixed, but the 98 login through the NT4, then going to 2003 cannot.  You have to break that chain.

    Author Comment

    Everything looked ok on the Remote Access Policies on our Microsoft Radius server (which is where it is instead of RRAS). Also, not we have a NT4 domain instead of AD - we are updating in about a month finally. Kept digging and found that Windows 98 SE and Windows ME could dial in ok - problem was limited to Windows 98 first edition. I remembered a Windows DUN update from 3 years ago and went looking again and found it. The DUN 1.4 update fixed it!  The KB is 285189 and the link is;en-us;285189.

    Thanks for everyone's help!
    LVL 15

    Expert Comment

    Thanks.  I do recall the DUN updates from (what seems) a long time ago.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    What’s a web proxy server? A proxy server is a server that goes between clients and web servers, used in corporate to enforce corporate browsing policy and ensure security. Proxy servers are commonly used in three modes. A)    Forward proxy …
    Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now