Solved

VPN error 691 Access Denied

Posted on 2007-03-21
31
1,385 Views
Last Modified: 2010-04-12
Hello Experts, I have a question. I am trying to set up the VPN. I am using L2TP over IPSec Connection (3Com Firewall to Remote User).
The error that I get is "691: Access Denied. User is not registered on domain."
I have 2003 SBS. I added a user to AD, made sure that the user has a VPN Allow Access.
Firewall , created the L2TP over IPSec Tunnel, set it up for a particular user,created a Key
User: Windows XP SP2, (this user on different location), Entered the login, password and Key.

Firewall can see the connection: Here is what I get from the firewall log:

Mar 20 11:51:24 localhost kernel: L2TP Server: Login for username atadm05 denied: no such user.
I think it has something to do with Certificates, but I am not sure
If you need more info let me know.
Any help will be greatly appreciated, Thanks
0
Comment
Question by:hw_tech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 12
  • 4
31 Comments
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18763382
Are you using the server as the VPN server or the firewall?
0
 

Author Comment

by:hw_tech
ID: 18763430
firewall
0
 
LVL 8

Expert Comment

by:jsvor
ID: 18763436
What are you using for a firewall?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:hw_tech
ID: 18763448
3Com Office Connect VPN Firewall
0
 
LVL 8

Expert Comment

by:jsvor
ID: 18763485
Are you seeing the error log on the server or on the firewall?
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18763503
You say you added the user to the AD on the server.
Did you add the user to the firewall?
0
 

Author Comment

by:hw_tech
ID: 18763525
Everytiem the remote user trying to connect to VPN, he get an error 691 Access Denied.
Mar 20 11:51:24 localhost kernel: L2TP Server: Login for username atadm05 denied: no such user. - I pulled it up from firewall log.
Yes I did add the user on firewall as well.
0
 
LVL 8

Expert Comment

by:jsvor
ID: 18763545
I'm not sure that VPN fw will look to the AD for the users to authenticate them.  You will probably have to add each user to the fw in order for them to connect in.
0
 

Author Comment

by:hw_tech
ID: 18763591
But I added atadm05 user for fw, and it is not giving access
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18763622
Do you have other known working tunnels on the firewall?
0
 

Author Comment

by:hw_tech
ID: 18763670
I tried IPSec before, but that was not successful. I couldn't even connect to firewall. And L2TP is easier to configure.
0
 
LVL 8

Expert Comment

by:jsvor
ID: 18763757
What are your clients using for an OS to connect in? XP, Vista?
0
 

Author Comment

by:hw_tech
ID: 18763772
Windows XP SP2, Windows firewall is OFF, I am using Windows VPN connection
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18763967
Have you thought about letting the server do the work and passing through the port on the firewall?
0
 

Author Comment

by:hw_tech
ID: 18764016
I am not sure on how to do this. Could you please explain it more. Thanks
0
 

Author Comment

by:hw_tech
ID: 18764071
I just read the instructions for my firewall and it states that "L2TP/IPSEC - Pass-through is not available to a computer on a LAN when IPSEC/L2TP Servers are enabled"
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18764088
SBS 2003 has it's own VPN server capabilities.

You could forward port 1723 on your firewall to your servers ip address. then after running the remote connection wizard from the to do list in the server management console.  Then on the client use your wan ip or domain name pointing to it to connect to the sbs server built in vpn.  Users would have to have the mobile user template to connect so you may need to change their permisions.  This uses windows authentification.  You can even download the connnection manager from RWW.

Have a look at this

http://www.microsoft.com/technet/prodtechnol/sbs/2003/support/2436fe9d-338d-47d6-98b6-ffe1eac534ba.mspx?mfr=true
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18764092
That would be the case as they will want to handle VPN access.  Can you forward the port if you disable it?
0
 

Author Comment

by:hw_tech
ID: 18764650
I did all the steps except the port forwarding on Firewall. Do I have to open port first, or it is not required?. Without opening the ports I get the same error.
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18764960
Whats the model number of the firewall?
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18765159
The manual for an office connect firewall states that for VPN passthrough you need to add a virtual server to the firewall.  

I have only had a quick glance so I would suggest that you look at this carefully to avoid any problems with firewall config as you do not want to open the network by mistake.  

Possibly it may be worth asking a question in the firewalls section of EE to get a better answer.
0
 

Author Comment

by:hw_tech
ID: 18765193
the model number is 3CR870-95. Thanks for all your help
0
 

Author Comment

by:hw_tech
ID: 18765584
I was reading this article in microsoft and it says that I need to deploy a certificate infrastructure because it is required for L2TP VPN connection.
http://technet2.microsoft.com/WindowsServer/en/library/7159a5cd-530b-4b8f-b54a-9a8adfdeac1b1033.mspx?mfr=true
any suggestions?
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18765792
When you run the CIEW you will create the cert.  As this is part of the process.
Then to connect to the SBS server you will need to install the cert on the client machine.
0
 

Author Comment

by:hw_tech
ID: 18765833
How to run the CIEW? and what is it?
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18765861
You did say you had a sbs2003 server didn't you?

Its the internet and email config wizzard
0
 

Author Comment

by:hw_tech
ID: 18766130
I think the problem is that in firewall settings Address Pool for PPTP clients is entered wrong. Looks like Remote Client can connect to VPN firewall and firewall is not leting the remote user to pass through to LAN.It just denying access.
In instructions it says that these address pool must be within firewall's LAN subnet and must not form part of the DHCP pool.
0
 
LVL 6

Accepted Solution

by:
NeilParbrook earned 500 total points
ID: 18766151
What are you using for DHCP?
0
 

Author Comment

by:hw_tech
ID: 18767070
the DHCP pool is 10.1.1.10 to 10.1.1.150, but the FIrewall LAN is 192.168.2.1-100. SO they are in a different subnet.
0
 
LVL 6

Expert Comment

by:NeilParbrook
ID: 18768187
Mate

You should use SBS for as much as posible as this is how it is designed.  That IP pool is way out for an SBS network you should use 192.168.16.*** for the network using SBS as the DHCP server.  The more you let SBS do the easier it is.  How many machines are you using?  At least make sure that you are using the same subnet etc.    Follow the set up instructions and you will do no harm.  SBS is a 'My First Server' enviroment and therfore is easy to set up and use but you must use the wizards as this is how it is designed.  Have you completed the 'To Do' list?

I don't mean to preach but you should let the server do the work.

Let me know

Neil
0
 

Author Comment

by:hw_tech
ID: 18770600
Thank you for all your help NeilParbrook. Looks like that's where I should start.
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The problem of the system drive in SBS 2003 getting full continues to be an issue, even though SBS 2008 and SBS 2011 are both in the market place.  There are several solutions to this, including adding additional drive space or using third party uti…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question