Solved

PPTP VPN Issue with Small Business Server 2003

Posted on 2009-04-01
36
638 Views
Last Modified: 2012-05-06
I am currently running  a Windows Small Business Server 2003.  I have run the wizard for configuring the Internet connection.  I have also run the wizard for remote access.  I am not able to connect to the server using an account that has been added to the Mobile Users group.  When I try to connect (internally and externally) I am receiving a 691 error message telling me that my username/password/domain are incorrect.  I know that this information is correct as I am fully able to log into the domain otherwise.  I have tried all sorts of possible solutions, but I am not sure where the problem is residing and I need to resolve this.  I know it is not the router that the computer and server are plugged into as I have tried connecting the server and configuring it for being directly connected to the Internet and I have the same problem.  Assistance is greatly appreciated.
0
Comment
Question by:foxtrot79
  • 18
  • 18
36 Comments
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24045716
One thought: check the user's account in active directory, under the dial in tab. The default with SBS is to control through remote access policy, but make sure it is not set to deny access. Setting to allow would be a good choice at least as a test.

A 691 error can also be caused by blocked GRE/ protocol 47 (not port 47). The latter is usually enabled on a router with an option such as "allow PPTP pass-through". Most often GRE results in a 721 error, but you can start the connection but not complete it with blocked GRE and get a mis-leading 691 error.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24045725
By the way did you also use the "create remote access disk" option, or download the client from the RWW page to install the client? This is the proper SBS method as per:
http://www.lan-2-wan.com/SBS-VPN-instr.htm
0
 

Author Comment

by:foxtrot79
ID: 24046021
I don't believe that the GRE is an issue as I tried connecting remotely from the outside to the server when the server was connected directly to the cable modem and the server was acting as the router as configured through the Internet configuration wizard.  I also have verified with the cable ISP that they are not blocking 1723 or any other ports except those known to be exploitable by Microsoft.  

I will give the "create remote access disk" a try, but I don't recall seeing this as an option when the remote wizard runs, but I will still give it a try and report back.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24048641
The link I provided above explains the client configuration. It is a different wizard on the same page as the "configure remote access" wizard of the server management console.

I agree it doesn't sound like GRE but it can also be blocked on the client end or by 3rd party software on the server (or client) such as Symantec anti virus, McAfee security Suite, Live One Care, TrendMicro Office Scan and others. A common problem on the client end is double NATing, by using a modem that is a combined modem and router in conjunction with another router. In the latter scenario the modem must be put in bridged mode.
0
 

Author Comment

by:foxtrot79
ID: 24050561
I went through and verified that the accounts that I am trying are members of the mobile group, also one is set to allow access in dialup properties and the other is set to allow control through the remote access policy.

I also tried to create the remote disk for the client computer, but the only problem is that it wants a floppy and the server does not have one.  Is there a way to do this with a USB drive or am stuck on this path?  I also am not sure what the Remote Web Workplace site name is, but if it is companyweb, I get an error that I have attached when trying to view the page after being prompted for credentials over and over again.

If I am missing something, I am sorry.  I am still new to SBS 2003.  I have more expierence with standard 2003, but I greatly appreciate all the help that is being provided.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24050646
Assuming SBS was set up with RWW (remote web workplace), using the configure e-mail and Internet connection wizard, you should be able to access it externally with:
https://ServerName.YourPublicDomainName/remote  
or internally with:
http://ServerName/remote
On the RWW page if you ran the configure remote access wizard there will be an option to download the VPN client (SBS connecting manager)

Manually configuring a VPN client will work as well but the SBS custom client will assure the proper connection information and name resolution is properly configured.
0
 

Author Comment

by:foxtrot79
ID: 24052458
I gave the address a try and I was prompted for username/password after accepting the self signed certifiecate.  I authenticated  with the domain admin account and was presented with a "You are not authorized" page.  I don't recall seeing a wizard to install RWW.  If this didn't install where would I need to go to get this installed?  If it is installed, I am not sure where to go to give access to remote web workspace.

Thanks
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24052910
The user needs to be a member of the Remote Web Workplace user and Mobile Users groups. best way to do so is from the server management console: users | change user permissions | mobile user template select users

When connecting, for username use domain\username

RWW is installed by running the Configure E-mail and Internet Connection  wizard located under server m,management, Internet and e-mail
0
 

Author Comment

by:foxtrot79
ID: 24060443
I tried to get to the remote webpage after using the template to add the remote and mobileuser groups, but what happens is that I am prompted for username/password over and over.  I logged off of the account that I am using to test and logged back in again, but I still have the same issue.  I even tried to log in using the full domain\username instead of the NetBIOS name\username with the password and it still comes back and tells me I am not authorized.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24060511
Can you try as a domain admin? That should have permissions by default.
0
 

Author Comment

by:foxtrot79
ID: 24060809
I tried as the domain admin and I get the same error.  This whole thing has me really perplexed.
0
 

Author Comment

by:foxtrot79
ID: 24061130
If there are any logs or anything else that I can provide please let me know.  I really would like to get this resolved.  Again, I really appreciate the help.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24061134
Very odd. I just looked and you should be able to manually copy the connection manager client from:
\\SBSname\ClientApps\Connection Manager\sbspackage.exe
0
 

Author Comment

by:foxtrot79
ID: 24062304
I downloaded the package and installed it on a computer.  I am recieving an error 800 now.  I checked to make sure the dns name that I specified in the remote wizard setup has the propper IP address specified on my ISP's side and it does.  The dns name is defined with the ISP and is forwarding to my public IP.  The router has the port forwarded to the local server with the same port number.  I did a little more checking with GRC.com and did a port scan.  The ports that are supposed to be open are open, but when I do a custom scan on 1723 the port comes back as closed even though I have it forwarded in the router setup.

The router that is being used is a Linksys WRT54G wtih DDWRT firmware installed.  The version of DDWRT is micro.  The router is setup to enable PPTP, L2TP, and IPSEC passthrough.  There are no firewalls running on the router.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24067274
An 800 error is going backward. It indicates no "handshaking at all". The 691 at least indicates the initial connection was made and handshaking is taking place.

www.grc.com  can show the port is exposed by the router but that does not necessarily mean the server is "listening"
I would try 2 tests:
1) From an off-site PC try telneting to the SBS
telnet 123.123.123.123  1723
If the SBS is listening and the port is properly forwarded you will get a blank screen with a flashing cursor.
If not it will time out or generate an error.
2) From the SBS LAN, try connecting to the VPN, but use the LAN IP of the server.

The first will verify if the server is accessible from the Internet and the second will verify the VPN is properly configured. This may help to narrow down where the problem is.
0
 

Author Comment

by:foxtrot79
ID: 24069954
What has be confused is that GRC is showing the port as closed where as port 25 for SMTP shows as open (which is correct).  I am not sure why the router wouldn't have the port open even though the port has been forwarded.It should show as open from a port scan of port 1723 on grc.com, even if there is no traffic going over it.

I tried #1 and I am getting a connection refused.  I am starting to wonder if the DD WRT firmware is lying about the port being forwarded.  I am going to try putting the server in the DMZ and see if that makes a difference or not.  If that does not accomplish anything I am going to put an earlier DD WRT firmware on it and see if that dislodges anything.

I also have tried #2 and that is were I get prompted over and over for the username/password/domain.

The server is accessible from the Internet because I am successfully serving OWA.  From what I can collect the VPN is configured correctly since I ran through the wizard and quickly browsing routing and remote access appears to be set right.
0
 

Author Comment

by:foxtrot79
ID: 24073435
Ok, I was able to resolve the 800 error somehow.  I have no idea what I did, but it is now gone and 1723 now shows up as open.  I then went in and ran the remote wizard again and checked the routing and remote control panel and the PPTP only showed to be used for incoming connections and not routing for incoming and outgoing.  I changed this to allow it and I was able to connect from the outside.  I am able to telnet to 1723 and it gives a blinking cursor like it should so the traffic is getting to the server.  I tried to VPN in using the connection manager that I downloaded from the server.  This resulted in the 691 error message after prompting for username/password/domain over and over.  It is almost like something in the server is not talking to another piece.  I am not sure what it could be, but if you need any logs or any screenshots, let me know.

Thanks again.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24083277
Can you try connecting from the LAN using the server's LAN IP, rather than public IP, to confirm if it is a connection issue or authentication.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:foxtrot79
ID: 24086882
I tried to connect to the local LAN IP this morning using both my own user account that is granted remote/mobile permissions, the administrator account with remote/mobile permissions, and with an account that I created using the user snap-in inside of the server management control center that I granted mobile permissions and all three failed wtih the 691 error message.  It looks like something inside of the server is not communicating with another piece to complete the authentication.  If I try from the outside I see that it is trying to authenticate, but it fails during the connection.

Thanks.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24096267
It does sound more like a VPN permissions issue, but if a domain admin account doesn't work I am not sure where to look. Are there any software firewalls installed on the server?
0
 

Author Comment

by:foxtrot79
ID: 24098029
I am not sure where to look either and that is what has me frustrated.  Part of me would like to rebuild the server, but I can't really rebuild the server from scratch as it is their only server and relied upon for their day-to-day business.

I don't have any software firewalls installed.  The only one was the Windows firewall, but this was removed when VPN was installed.  The service has been placed into disabled status.

Thanks
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24098218
Are there 1 or 2 NIC's in the server?
If 2 go to : RRAS | right click on server -properties | IP | select the WAN adapter in the last box rather than allow RAS to select (or LAN for testing as per last post)
If 1 NIC that will not help.
0
 

Author Comment

by:foxtrot79
ID: 24098918
There is only one NIC for this server.  I did add a second NIC and ran through the Internet wizard and then the remote wizard.  I was able to get to the server from the inside and outside, but still ran into the 691 error message.  I want the server to be behind the NAT router and not have the server act as the router.  I just feel it is a little less exposed than directly connected to the Internet.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24099438
Very odd that you cannot connect at least from the LAN side. I am afraid I am out of ideas., other than having a look at the following:
http://www.howtonetworking.com/vpnissues/error691.htm
0
 

Author Comment

by:foxtrot79
ID: 24100164
I appreciate your help.  I was thinking this afternoon about what I have done outside of the normal SBS 2003 setup.  I do have a default domain policy and a domain controller policy applied.  Would either of these two things have any impact on the issue?
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24100251
It is conceivable, but not likely. It would be more likely related to the permissions on the dial-up tab or the user profile in Active Directory, or a Remote Access Policy in IAS (Internet Authentication Service). The latter could definitely cause problems but it is configured automatically by SBS.
0
 

Author Comment

by:foxtrot79
ID: 24100515
I am looking at the logs and when I make a VPN attempt the following two event numbers get logged to the security log for each attempt during the connection:

680 and 529

I looked up 680 and according to the error code the error is - 0xC000006A An incorrect password was supplied.
(I know the password is correct because I am able to log onto the domain from a workstation just fine.)

I don't know if something is set so VPN attempts are blocked from authenticating or what might be going on.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24100925
-It is not a blank password is it? Just thought I would ask as that will not work.
 -try user name in the form  domain\username
-also as per previous link; "3) Make sure the dial-up connection's security option is correctly configured to use the Require secured password setting"
0
 

Author Comment

by:foxtrot79
ID: 24102050
I just gave it a shot with the domain/username and I get the same results.  The connection that I am trying is the one that the remove wizard creates as part of the clientapps.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24102078
Note it should be \ not / but if using the SBS "Connection Manager" that is not necessary.
0
 

Author Comment

by:foxtrot79
ID: 24102368
I am really not sure what to do at this point.  I need to deliver a VPN solution for my client.  I was going just use PPTP since it was what SBS setup using the wizard.  Is L2TP hard to setup wtih SBS and client machines?
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24108528
L2TP is a pain in the neck to set up, and there are no wizards within SBS. If it is an authentication issue I would suspect it would still exist even with L2TP. If interested though the link below will get you started.
If considering that route you might be better to consider a low end IPSec VPN router. It is more secure, offers slightly better performance, better control of access, and eliminates the problem above.

http://technet.microsoft.com/en-us/library/cc787915.aspx
There is also an issue with Server 2003/XP where it does not support NAT-T with the IPSec component, therefore an L2TP client cannot connect to a 2003 server from be hind a NAT device (router). The following outlines the problem and solution, if considering L2TP:
http://www.windowsecurity.com/articles/NAT-Traversal-Security.html
0
 

Author Comment

by:foxtrot79
ID: 24113117
I was poking around the server this evening and found something interesting.  If I go into Group Policy Management and take away the Default Domain Controller Policy from being enforced on the domain controller I am fully able to connect through VPN to the server.  This works from the internal LAN and from the Internet.  I am not sure what paticular piece of the policy would be causing the block and hoping that you (RobWill) or someone else may know what paticular piece of the polciy may be the culprit.  I'm at the top of the hill and need just the little push to get it working.

Thanks.
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 340 total points
ID: 24113248
Open the group policy management console, click on the policy on the left and in the right window click settings and then show all. see if any of the polices affect the VPN or authentication.
0
 

Accepted Solution

by:
foxtrot79 earned 0 total points
ID: 24118653
I found the culprit. The piece that was blocking the connection was in the Network Security Policy - Network security: LAN Manager authentication level.  It was set to "Send NTLMv2 response only\refuse LM & NTLM".  I had to downgrade this policy for the VPN connections to authenticate.  I downgraded it to "Send NTLMv2 response only\refuse LM" and it works exactly as it should.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24137321
Interesting. That policy is "not defined" by default so it must have been changed at some point on your system. Very good find though.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now