jlstdy
asked on
VPN Connection Problem - Authentication protocol is not permitted on the remote server
My VPN client access on an SBS 2008 server had been working fine. Then it began connecting, but not giving me a network IP address&it would give me a 169 APIPA IP address. Then in trying to fix it, I apparently made it worse. Now when I try to connect, I get a 649 connection error on the client&The account does not have permission to connect for one of the following reasons&the reason that seems to apply is:
An authentication protocol may be required that your computer cannot negotiate, or your computer may be attempting to use a protocol that is not authorized by the policy on the remote computer.
On the server I get this error:
The selected authentication protocol is not permitted on the remote server.
The connection could not be established because the authentication method used by your connection profile is not permitted for use by an access policy configured on the RAS/VPN server. Specifically, this could be due to configuration differences between the authentication method selected on the RAS/VPN server and the access policy configured for it.
CoId={NA}: The account for user \jim connected on port VPN2-4 does not have Remote Access privilege. The line has been disconnected.
>>>
User:
Security ID: S-1-5-21-366816775-4274262 072-384125 02-1142
Account Name: jim
Account Domain: DomainName
Fully Qualified Account Name: DomainName\jim
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 205.172.99.12
NAS:
NAS IPv4 Address: 192.168.73.1
NAS IPv6 Address: -
NAS Identifier: VS1
NAS Port-Type: Virtual
NAS Port: 0
RADIUS Client:
Client Friendly Name: VS1
Client IP Address: 192.168.73.1
Authentication Details:
Proxy Policy Name: NAP VPN
Network Policy Name: NAP VPN Non NAP-Capable
Authentication Provider: Windows
Authentication Server: VS1.DomainNameg.local
Authentication Type: MS-CHAPv2
EAP Type: -
Account Session Identifier: 32
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
An authentication protocol may be required that your computer cannot negotiate, or your computer may be attempting to use a protocol that is not authorized by the policy on the remote computer.
On the server I get this error:
The selected authentication protocol is not permitted on the remote server.
The connection could not be established because the authentication method used by your connection profile is not permitted for use by an access policy configured on the RAS/VPN server. Specifically, this could be due to configuration differences between the authentication method selected on the RAS/VPN server and the access policy configured for it.
CoId={NA}: The account for user \jim connected on port VPN2-4 does not have Remote Access privilege. The line has been disconnected.
>>>
User:
Security ID: S-1-5-21-366816775-4274262
Account Name: jim
Account Domain: DomainName
Fully Qualified Account Name: DomainName\jim
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: 205.172.99.12
NAS:
NAS IPv4 Address: 192.168.73.1
NAS IPv6 Address: -
NAS Identifier: VS1
NAS Port-Type: Virtual
NAS Port: 0
RADIUS Client:
Client Friendly Name: VS1
Client IP Address: 192.168.73.1
Authentication Details:
Proxy Policy Name: NAP VPN
Network Policy Name: NAP VPN Non NAP-Capable
Authentication Provider: Windows
Authentication Server: VS1.DomainNameg.local
Authentication Type: MS-CHAPv2
EAP Type: -
Account Session Identifier: 32
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Three of them have a red x instead of a green check as indicated
The first two do not have MS-CHAPv2 checked, but do have checked "allow clients to connect without negotiating an authentication method" All of the others have MS-CHAP2v2 checked.
General Connection Authorization Policy
-- TSG Marker Policy {985F7B54-FCE8-4f55-AEBF-D
NAP VPN Compliant
NAP VPN Noncompliant
NAP VPN Non NAP-Capable
Virtual Private Network (VPN) Access Policy
Connections to Microsoft Routing and Remote Access server (has red X)
Connections to other access servers (has red X)