RemoteAccess 20189 Error - Windows 2003 RRAS

Remote users can no longer use VPN setup on a member Windows 2003 server due to authentication failure. Error on the RRAS server (technically a Warning) is 20189 from Event Source RemoteAccess: "Authentication was not successful because an unknown user name or incorrect password was used. "

Could this be due to time differential of more than 1 minute between Internet -- where remote users are -- and AD domain? (I do not yet have permission to modify that setting.)

I have already checked the following:
- The RRAS server has secure channel with DC -- verified with NetDom
- Authenitcation traffic does reach a DC since the user account is locked out after more than x attempts.
- More than one user account has this problem -- perhaps all.
- Adding other authentication methods beside MSCHAP2 (MSCHAP and CHAP) makes no difference.
- User account still has problem even when moved to a new OU. Permission on OU are normal.
- LAN manager authentication level (as seen in local security policy and registry) is at 2: Allow NTLM, only refuse LM. So it is not set too high.

Please advise. (RRAS logs are too cryptic. Have created trace logs in C:\WINDOWS\tracing but not sure what to seek.) Thanks.

Who is Participating?
nkulshAuthor Commented:
We figured it out ourselves.
LAN manager authentication level (as seen in local security policy and registry) had to be changed on Domain Controllers -- all of them, from 5 to 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\lncompatibilitylevel (REG_DWORD)
Level 5 - DC refuses LM and NTLM authenication (accepts only NTLMv2)
Level 1 - Use NTLMv2 session security if negotiated  
Perhaps Level 4 would have worked as well.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.