Solved

Trouble setting up windows xp vpn server

Posted on 2006-11-19
12
665 Views
Last Modified: 2008-01-09
I am having problems setting up a windows xp vpn server.  I followed the directions at http://www.windowsdevcenter.com/pub/a/windows/2004/03/09/vpn_connection.html but when i try to connect it is failing saying "Windows was unable to connect to the network using the user name and password you provided.  Please re-enter the user name and password."

On the server the windows system log has an warning entry (yellow triangle) for each time i attempt to connect that says "The user vpn connected from xx.xxx.xxx.xxx but failed an authentication attempt due to the following reason: There was an authentication failure because of an unknown user name or a bad password."

That was the message i got when i left the domain field blank.  I added the computer name in the domain box and got the following log entry (warning):

"The user MYHOMECOMPUTER\vpn connected from xx.xxx.xxx.xxx but failed an authentication attempt due to the following reason: There was an authentication failure because of an unknown user name or a bad password."

Next i tried putting in the ip instead of the computer name and i got
"The user nn.nnn.nnn.nnn\vpn connected from xx.xxx.xxx.xxx but failed an authentication attempt due to the following reason: The current configuration of the Internet Authentication Service (IAS) server only supports local user accounts."

(by the way, nn.nnn.nnn.nnn represents the ip of the computer i am trying to vpn to and xx.xxx.xxx.xxx represents my ip).

I tried VPNing from the server to the server and that produced the same errors about bad username and/or password (not sure if this would work anyway).

Caps lock is not on, i know i am typing the correct passwords.  I know this because i reset the "vpn" user's password to 1 letter.

Also, I can remote desktop to this computer over the internet.

Does anyone have an idea for how to make this work?
0
Comment
Question by:dave4dl
  • 6
  • 5
12 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Have a look at the following link, it has a few more steps, including configuring the VPN client IP.
Server set up:
http://www.onecomputerguy.com/networking/xp_vpn_server.htm
Client set up:
http://www.onecomputerguy.com/networking/xp_vpn.htm

You have forwarded port 1723 on your router (assuming you have one) to the VPN server, and enable PPTP pass-through ?
I assume so, based on the error you are getting.

I assume it is a valid account you are using, and it will not allow a blank password. If the VPN server is a workstation rather than a server/domain, you shouldn't need to add the computer or IP to the logon name.

What error number do you get wen the connection fails, such as 800, 691, 721 ?
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Just to make sure, the user ID you are specifying is a local account on the VPN sever, right?  

That is, it is not a domain account and it is not a local account on your home computer.
0
 
LVL 15

Author Comment

by:dave4dl
Comment Utility
I have cable internet so i only use a very simple cable modem (which allows for nearly no configuration, no port forwarding, no pptp pass-through).  The server is not part of a domain (and neither is the client).

it is a valid account i am using.  I have also tried to use the administrator account and i get the same error message.

I don't get an error number when it fails, just a dialog box saying "Windows was unable to connect to the network using the user name and password you provided.  Please re-enter the user name and password."  Then a sentence about how the domain is optional, then three text boxes that let me enter in the username, password, and domain.  Buttons are "Ok" and "Cancel".  If i try retyping the info and submitting i get the same dialog flashing up immediately.

0
 
LVL 15

Author Comment

by:dave4dl
Comment Utility
yeah, it is an account on the vpn server.  I can see it when i go to computer management, users and groups.  I set it up through the vpn server setup wizard (when you have the option to "Add a user" while defining who has access to the vpn).
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Are you connecting from another site? You cannot test this from the same site, at least not using the public IP. You are using the correct public IP too, I assume. To check, from the VPN server go to http://www.whatismyip.com  That is the IP to which you will want to connect from another site.

Did you walk through the configuration shown in the links above?
0
 
LVL 15

Author Comment

by:dave4dl
Comment Utility
The public IP from that website is the same as the ip my NIC on the server gets (checked with ipconfig) which is the ip i am trying to connect to (that site is great tool for tech support by the way, i will have to remember it).

I actually did use those links when i set up my vpn server so i have followed those instructions.  The only deviation i took was to use dhcp to assign IPs on the server.  Since it isn't even getting to that point in the progression of things i can safely say that that setting isnt causing my current problem.

by the way, i really appreciate your help here.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 15

Author Comment

by:dave4dl
Comment Utility
Oh yeah, i am connecting from another site (different class A subnet)
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"(different class A subnet)"
Good, sorry forgot to mention that.

>>"The only deviation i took was to use dhcp to assign IPs on the server."
If you are refering to the VPN server set up part, I don't think you can use DHCP. XP doesn't have a built in DHCP server, and there is no DHCP relay agent option to use another device like a router, though it may work with APIPA (Automatic Private IP Addressing ) and assign it a 169.254.0.0 address. However the client needs to be assigned an address before it will truly get to the authentication stage. I wonder if it is worth a try. Must say I am more familiar with troubleshooting this on a true server with RRAS, but anxious to hear what the actual problem is.

Another thing to consider is the client end. What type of equipment is it behind?
Had a VPN problem the other day that was actually GRE protocol being blocked, but was hanging on verifying user name and password.
0
 
LVL 15

Author Comment

by:dave4dl
Comment Utility
I have gotten this to work on other computers in the past so I know dhcp works in at least some certain circumstances (with no additional configuration).

I tried putting in all the inputs exactly as they are on http://www.onecomputerguy.com/networking/xp_vpn_server.htm (including the TCP/IP settings) but the error persists.  Is there some sort of tool i can use to identify the real cause for this failure?  Maybe GRE is being blocked by my isp or something (although that would be kind of weird).  The vpn client comes back pretty fast (under 1 second) saying bad username/password so i am guessing that it isn't that some protocol is being blocked (otherwise it would time out and take a while).

I guess i could capture all the inputs and outputs with winpcap/ethereal but I wouldn't know what that should look like so i couldn't diagnose the problem.

It's too bad i can't get a better error message because the username is not unknown and the password is not incorrect.

Another data point:  I can vpn to work with no trouble using the windows vpn client from my client machine (setting up my client vpn connection exactly the same way).
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
If you can VPN to work, you are right the client site is fine.
The only "tools" I know of are to test if the port, 1723, is open and to verify GRE is being forwarded:
To verify PPTP, port 1723, is open/forwarded, from the VPN server go to the following site and test for port 1723:
http://www.canyouseeme.org

Assuming that is working correctly, Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
http://www.howtonetworking.com/Tools/testgre.htm
See VPN traffic:
http://www.microsoft.com/technet/community/columns/cableguy/cg0105.mspx
0
 
LVL 15

Author Comment

by:dave4dl
Comment Utility
I really appreciate all your help,

Thank you!
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Thanks Dave. You are very welcome.
By the way one of the links above http://ww3.ns.sym........    doesn't appear to be working. You can get the "tools" as part of the resource kit at:
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=49ae8576-9bb9-4126-9761-ba8011fabf38&displaylang=en
Cheers,
--Rob
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now