Remote users can no longer use VPN setup on a member Windows 2003 server due to authentication failure. Error on the RRAS server (technically a Warning) is 20189 from Event Source RemoteAccess: "Authentication was not successful because an unknown user name or incorrect password was used. "
Could this be due to time differential of more than 1 minute between Internet -- where remote users are -- and AD domain? (I do not yet have permission to modify that setting.)
I have already checked the following:
- The RRAS server has secure channel with DC -- verified with NetDom
- Authenitcation traffic does reach a DC since the user account is locked out after more than x attempts.
- More than one user account has this problem -- perhaps all.
- Adding other authentication methods beside MSCHAP2 (MSCHAP and CHAP) makes no difference.
- User account still has problem even when moved to a new OU. Permission on OU are normal.
- LAN manager authentication level (as seen in local security policy and registry) is at 2: Allow NTLM, only refuse LM. So it is not set too high.
Please advise. (RRAS logs are too cryptic. Have created trace logs in C:\WINDOWS\tracing but not sure what to seek.) Thanks.