ruztech
asked on
VPN Issue
I have decommissioned a SBS2003 and migrated to SBS2008, when our users try and vpn we are getting an error. I have checked that the Administrator has dialin access.
It opens the port but then displays this error
Error 649: The account does not have permission to dial in.
It opens the port but then displays this error
Error 649: The account does not have permission to dial in.
This is in the system event log
The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
yes it seems to match the rras server settings both ms-chap and mschap v2 are enabled on vpn client and server
ASKER
This is the message from the server event log
The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
I have no error on my xp workstaton that is trying to vpn. I am using the Administrator account which has dial in permission. Account is set to never expire. Can you tell me how to post output from client?
The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.
I have no error on my xp workstaton that is trying to vpn. I am using the Administrator account which has dial in permission. Account is set to never expire. Can you tell me how to post output from client?
windows event viewer: look in application and system logs
right-click on my computer>manage>event viewer. You can filter for errors
did you check the authentication on the client for a match in the RRAS profile?
right-click on my computer>manage>event viewer. You can filter for errors
did you check the authentication on the client for a match in the RRAS profile?
Also, try this:
Check PPTP filtering. For the test, disable PPTP filtering on the server (Net Stop RASPPTPF), and see if you can establish a non-filtered connection
Check PPTP filtering. For the test, disable PPTP filtering on the server (Net Stop RASPPTPF), and see if you can establish a non-filtered connection
check this link out also if still no luck:
http://www.ji-net.com/support/Etc/Dial-Up_Error_code/6xx/64x/649.asp
http://www.ji-net.com/support/Etc/Dial-Up_Error_code/6xx/64x/649.asp
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Tried to run "Net Stop RASPPTPF" but get the following error
system error 1060 has occurred. Is there another method to stop this servive.
system error 1060 has occurred. Is there another method to stop this servive.
you can disable the service then re-enable and restart manually, or set service for manuall startup after reboot
ASKER
VPN was working on the 2003 SBS so I believe the router is configured correctly (we pointed the ports to the new server ip address). I should also mention that when I setup the vpn service on SBS2008 vpn worked for the Administrator. However a day or so later it has stopped working. A user added a certificate which is the only slight change that has been installed and I cannot say if it is causing the issue. Thank you for your help so far bignewf. I have not been able to find the service RASPPTPF anywhere. Does this exist on SBS2008?
Have you tried removing the cert and try reconnecting? that could cause a credential/authentication mismatch.
ASKER
I have tried stopping the cert service but that did not help any, I will request the user to remove the cert and test again.
ASKER
We have now got it working. thanks for all your help bignewf you pointed us in the right direction.
On the vpn client had to setup the following settings
Security tab > Advanced > Settings > Logon security > use extensible authentication protocol > protected EAP (PEAP) (encryption enabled) > Proprerties > uncheck validate server certificate (this is checked by default) > Select Authentication method > Secured password (EAP-MSCHAP v2)
On the vpn client had to setup the following settings
Security tab > Advanced > Settings > Logon security > use extensible authentication protocol > protected EAP (PEAP) (encryption enabled) > Proprerties > uncheck validate server certificate (this is checked by default) > Select Authentication method > Secured password (EAP-MSCHAP v2)
please post output from windows event log on both rras server and client
thanks