RemoteAccess 20189 Error - Windows 2003 RRAS

Posted on 2009-04-16
Last Modified: 2012-05-06
Remote users can no longer use VPN setup on a member Windows 2003 server due to authentication failure. Error on the RRAS server (technically a Warning) is 20189 from Event Source RemoteAccess: "Authentication was not successful because an unknown user name or incorrect password was used. "

Could this be due to time differential of more than 1 minute between Internet -- where remote users are -- and AD domain? (I do not yet have permission to modify that setting.)

I have already checked the following:
- The RRAS server has secure channel with DC -- verified with NetDom
- Authenitcation traffic does reach a DC since the user account is locked out after more than x attempts.
- More than one user account has this problem -- perhaps all.
- Adding other authentication methods beside MSCHAP2 (MSCHAP and CHAP) makes no difference.
- User account still has problem even when moved to a new OU. Permission on OU are normal.
- LAN manager authentication level (as seen in local security policy and registry) is at 2: Allow NTLM, only refuse LM. So it is not set too high.

Please advise. (RRAS logs are too cryptic. Have created trace logs in C:\WINDOWS\tracing but not sure what to seek.) Thanks.

Question by:nkulsh
    1 Comment
    LVL 1

    Accepted Solution

    We figured it out ourselves.
    LAN manager authentication level (as seen in local security policy and registry) had to be changed on Domain Controllers -- all of them, from 5 to 1:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lncompatibilitylevel (REG_DWORD)
    Level 5 - DC refuses LM and NTLM authenication (accepts only NTLMv2)
    Level 1 - Use NTLMv2 session security if negotiated  
    Perhaps Level 4 would have worked as well.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    7 Experts available now in Live!

    Get 1:1 Help Now