Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Trouble setting up windows xp vpn server

Posted on 2006-11-19
Medium Priority
Last Modified: 2008-01-09
I am having problems setting up a windows xp vpn server.  I followed the directions at http://www.windowsdevcenter.com/pub/a/windows/2004/03/09/vpn_connection.html but when i try to connect it is failing saying "Windows was unable to connect to the network using the user name and password you provided.  Please re-enter the user name and password."

On the server the windows system log has an warning entry (yellow triangle) for each time i attempt to connect that says "The user vpn connected from xx.xxx.xxx.xxx but failed an authentication attempt due to the following reason: There was an authentication failure because of an unknown user name or a bad password."

That was the message i got when i left the domain field blank.  I added the computer name in the domain box and got the following log entry (warning):

"The user MYHOMECOMPUTER\vpn connected from xx.xxx.xxx.xxx but failed an authentication attempt due to the following reason: There was an authentication failure because of an unknown user name or a bad password."

Next i tried putting in the ip instead of the computer name and i got
"The user nn.nnn.nnn.nnn\vpn connected from xx.xxx.xxx.xxx but failed an authentication attempt due to the following reason: The current configuration of the Internet Authentication Service (IAS) server only supports local user accounts."

(by the way, nn.nnn.nnn.nnn represents the ip of the computer i am trying to vpn to and xx.xxx.xxx.xxx represents my ip).

I tried VPNing from the server to the server and that produced the same errors about bad username and/or password (not sure if this would work anyway).

Caps lock is not on, i know i am typing the correct passwords.  I know this because i reset the "vpn" user's password to 1 letter.

Also, I can remote desktop to this computer over the internet.

Does anyone have an idea for how to make this work?
Question by:dave4dl
  • 6
  • 5
LVL 78

Expert Comment

by:Rob Williams
ID: 17976753
Have a look at the following link, it has a few more steps, including configuring the VPN client IP.
Server set up:
Client set up:

You have forwarded port 1723 on your router (assuming you have one) to the VPN server, and enable PPTP pass-through ?
I assume so, based on the error you are getting.

I assume it is a valid account you are using, and it will not allow a blank password. If the VPN server is a workstation rather than a server/domain, you shouldn't need to add the computer or IP to the logon name.

What error number do you get wen the connection fails, such as 800, 691, 721 ?
LVL 57

Expert Comment

ID: 17976779
Just to make sure, the user ID you are specifying is a local account on the VPN sever, right?  

That is, it is not a domain account and it is not a local account on your home computer.
LVL 15

Author Comment

ID: 17976784
I have cable internet so i only use a very simple cable modem (which allows for nearly no configuration, no port forwarding, no pptp pass-through).  The server is not part of a domain (and neither is the client).

it is a valid account i am using.  I have also tried to use the administrator account and i get the same error message.

I don't get an error number when it fails, just a dialog box saying "Windows was unable to connect to the network using the user name and password you provided.  Please re-enter the user name and password."  Then a sentence about how the domain is optional, then three text boxes that let me enter in the username, password, and domain.  Buttons are "Ok" and "Cancel".  If i try retyping the info and submitting i get the same dialog flashing up immediately.

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 15

Author Comment

ID: 17976790
yeah, it is an account on the vpn server.  I can see it when i go to computer management, users and groups.  I set it up through the vpn server setup wizard (when you have the option to "Add a user" while defining who has access to the vpn).
LVL 78

Expert Comment

by:Rob Williams
ID: 17976800
Are you connecting from another site? You cannot test this from the same site, at least not using the public IP. You are using the correct public IP too, I assume. To check, from the VPN server go to http://www.whatismyip.com  That is the IP to which you will want to connect from another site.

Did you walk through the configuration shown in the links above?
LVL 15

Author Comment

ID: 17976847
The public IP from that website is the same as the ip my NIC on the server gets (checked with ipconfig) which is the ip i am trying to connect to (that site is great tool for tech support by the way, i will have to remember it).

I actually did use those links when i set up my vpn server so i have followed those instructions.  The only deviation i took was to use dhcp to assign IPs on the server.  Since it isn't even getting to that point in the progression of things i can safely say that that setting isnt causing my current problem.

by the way, i really appreciate your help here.
LVL 15

Author Comment

ID: 17976857
Oh yeah, i am connecting from another site (different class A subnet)
LVL 78

Expert Comment

by:Rob Williams
ID: 17976970
>>"(different class A subnet)"
Good, sorry forgot to mention that.

>>"The only deviation i took was to use dhcp to assign IPs on the server."
If you are refering to the VPN server set up part, I don't think you can use DHCP. XP doesn't have a built in DHCP server, and there is no DHCP relay agent option to use another device like a router, though it may work with APIPA (Automatic Private IP Addressing ) and assign it a address. However the client needs to be assigned an address before it will truly get to the authentication stage. I wonder if it is worth a try. Must say I am more familiar with troubleshooting this on a true server with RRAS, but anxious to hear what the actual problem is.

Another thing to consider is the client end. What type of equipment is it behind?
Had a VPN problem the other day that was actually GRE protocol being blocked, but was hanging on verifying user name and password.
LVL 15

Author Comment

ID: 17977077
I have gotten this to work on other computers in the past so I know dhcp works in at least some certain circumstances (with no additional configuration).

I tried putting in all the inputs exactly as they are on http://www.onecomputerguy.com/networking/xp_vpn_server.htm (including the TCP/IP settings) but the error persists.  Is there some sort of tool i can use to identify the real cause for this failure?  Maybe GRE is being blocked by my isp or something (although that would be kind of weird).  The vpn client comes back pretty fast (under 1 second) saying bad username/password so i am guessing that it isn't that some protocol is being blocked (otherwise it would time out and take a while).

I guess i could capture all the inputs and outputs with winpcap/ethereal but I wouldn't know what that should look like so i couldn't diagnose the problem.

It's too bad i can't get a better error message because the username is not unknown and the password is not incorrect.

Another data point:  I can vpn to work with no trouble using the windows vpn client from my client machine (setting up my client vpn connection exactly the same way).
LVL 78

Accepted Solution

Rob Williams earned 2000 total points
ID: 17978411
If you can VPN to work, you are right the client site is fine.
The only "tools" I know of are to test if the port, 1723, is open and to verify GRE is being forwarded:
To verify PPTP, port 1723, is open/forwarded, from the VPN server go to the following site and test for port 1723:

Assuming that is working correctly, Microsoft has a pair of test tools pptpsrv and pptpclnt, to test for GRE pass-through, which are available as part of the Windows resource kit or from:

Log onto the client or VPN server machine and connect to the other with remote desktop, or a similar remote management tool. At a command line on the client machine, run pptpclnt and on the server run pptpsrv. The client machine will send a set of GRE packets to the server and it should show as received if GRE is able to pass. The server is then supposed to respond and the client indicate received, but I have never had that part work. The one direction client to server is usually enough to test.

Following links outline the use of the test tools:
See VPN traffic:
LVL 15

Author Comment

ID: 18069510
I really appreciate all your help,

Thank you!
LVL 78

Expert Comment

by:Rob Williams
ID: 18070100
Thanks Dave. You are very welcome.
By the way one of the links above http://ww3.ns.sym........    doesn't appear to be working. You can get the "tools" as part of the resource kit at:

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month10 days, 20 hours left to enroll

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question