Solved

VPN error 691 Access Denied

Posted on 2007-03-21
31
1,306 Views
Last Modified: 2010-04-12
Hello Experts, I have a question. I am trying to set up the VPN. I am using L2TP over IPSec Connection (3Com Firewall to Remote User).
The error that I get is "691: Access Denied. User is not registered on domain."
I have 2003 SBS. I added a user to AD, made sure that the user has a VPN Allow Access.
Firewall , created the L2TP over IPSec Tunnel, set it up for a particular user,created a Key
User: Windows XP SP2, (this user on different location), Entered the login, password and Key.

Firewall can see the connection: Here is what I get from the firewall log:

Mar 20 11:51:24 localhost kernel: L2TP Server: Login for username atadm05 denied: no such user.
I think it has something to do with Certificates, but I am not sure
If you need more info let me know.
Any help will be greatly appreciated, Thanks
0
Comment
Question by:hw_tech
  • 15
  • 12
  • 4
31 Comments
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18763382
Are you using the server as the VPN server or the firewall?
0
 

Author Comment

by:hw_tech
ID: 18763430
firewall
0
 
LVL 8

Expert Comment

by:jsvor
ID: 18763436
What are you using for a firewall?
0
 

Author Comment

by:hw_tech
ID: 18763448
3Com Office Connect VPN Firewall
0
 
LVL 8

Expert Comment

by:jsvor
ID: 18763485
Are you seeing the error log on the server or on the firewall?
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18763503
You say you added the user to the AD on the server.
Did you add the user to the firewall?
0
 

Author Comment

by:hw_tech
ID: 18763525
Everytiem the remote user trying to connect to VPN, he get an error 691 Access Denied.
Mar 20 11:51:24 localhost kernel: L2TP Server: Login for username atadm05 denied: no such user. - I pulled it up from firewall log.
Yes I did add the user on firewall as well.
0
 
LVL 8

Expert Comment

by:jsvor
ID: 18763545
I'm not sure that VPN fw will look to the AD for the users to authenticate them.  You will probably have to add each user to the fw in order for them to connect in.
0
 

Author Comment

by:hw_tech
ID: 18763591
But I added atadm05 user for fw, and it is not giving access
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18763622
Do you have other known working tunnels on the firewall?
0
 

Author Comment

by:hw_tech
ID: 18763670
I tried IPSec before, but that was not successful. I couldn't even connect to firewall. And L2TP is easier to configure.
0
 
LVL 8

Expert Comment

by:jsvor
ID: 18763757
What are your clients using for an OS to connect in? XP, Vista?
0
 

Author Comment

by:hw_tech
ID: 18763772
Windows XP SP2, Windows firewall is OFF, I am using Windows VPN connection
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18763967
Have you thought about letting the server do the work and passing through the port on the firewall?
0
 

Author Comment

by:hw_tech
ID: 18764016
I am not sure on how to do this. Could you please explain it more. Thanks
0
Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

 

Author Comment

by:hw_tech
ID: 18764071
I just read the instructions for my firewall and it states that "L2TP/IPSEC - Pass-through is not available to a computer on a LAN when IPSEC/L2TP Servers are enabled"
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18764088
SBS 2003 has it's own VPN server capabilities.

You could forward port 1723 on your firewall to your servers ip address. then after running the remote connection wizard from the to do list in the server management console.  Then on the client use your wan ip or domain name pointing to it to connect to the sbs server built in vpn.  Users would have to have the mobile user template to connect so you may need to change their permisions.  This uses windows authentification.  You can even download the connnection manager from RWW.

Have a look at this

http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/2436fe9d-338d-47d6-98b6-ffe1eac534ba.mspx?mfr=true
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18764092
That would be the case as they will want to handle VPN access.  Can you forward the port if you disable it?
0
 

Author Comment

by:hw_tech
ID: 18764650
I did all the steps except the port forwarding on Firewall. Do I have to open port first, or it is not required?. Without opening the ports I get the same error.
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18764960
Whats the model number of the firewall?
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18765159
The manual for an office connect firewall states that for VPN passthrough you need to add a virtual server to the firewall.  

I have only had a quick glance so I would suggest that you look at this carefully to avoid any problems with firewall config as you do not want to open the network by mistake.  

Possibly it may be worth asking a question in the firewalls section of EE to get a better answer.
0
 

Author Comment

by:hw_tech
ID: 18765193
the model number is 3CR870-95. Thanks for all your help
0
 

Author Comment

by:hw_tech
ID: 18765584
I was reading this article in microsoft and it says that I need to deploy a certificate infrastructure because it is required for L2TP VPN connection.
http://technet2.microsoft.com/WindowsServer/en/library/7159a5cd-530b-4b8f-b54a-9a8adfdeac1b1033.mspx?mfr=true
any suggestions?
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18765792
When you run the CIEW you will create the cert.  As this is part of the process.
Then to connect to the SBS server you will need to install the cert on the client machine.
0
 

Author Comment

by:hw_tech
ID: 18765833
How to run the CIEW? and what is it?
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18765861
You did say you had a sbs2003 server didn't you?

Its the internet and email config wizzard
0
 

Author Comment

by:hw_tech
ID: 18766130
I think the problem is that in firewall settings Address Pool for PPTP clients is entered wrong. Looks like Remote Client can connect to VPN firewall and firewall is not leting the remote user to pass through to LAN.It just denying access.
In instructions it says that these address pool must be within firewall's LAN subnet and must not form part of the DHCP pool.
0
 
LVL 6

Accepted Solution

by:
NeilParbrook earned 500 total points
ID: 18766151
What are you using for DHCP?
0
 

Author Comment

by:hw_tech
ID: 18767070
the DHCP pool is 10.1.1.10 to 10.1.1.150, but the FIrewall LAN is 192.168.2.1-100. SO they are in a different subnet.
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18768187
Mate

You should use SBS for as much as posible as this is how it is designed.  That IP pool is way out for an SBS network you should use 192.168.16.*** for the network using SBS as the DHCP server.  The more you let SBS do the easier it is.  How many machines are you using?  At least make sure that you are using the same subnet etc.    Follow the set up instructions and you will do no harm.  SBS is a 'My First Server' enviroment and therfore is easy to set up and use but you must use the wizards as this is how it is designed.  Have you completed the 'To Do' list?

I don't mean to preach but you should let the server do the work.

Let me know

Neil
0
 

Author Comment

by:hw_tech
ID: 18770600
Thank you for all your help NeilParbrook. Looks like that's where I should start.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SBS2011 DNS for external FQDN 6 61
Exchange 2010 fails to send outgoing email 7 59
SBS 2008 cannot logon remotely 7 47
Exchange 2003 to Office 365 Migration - RPC issues 4 51
I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now