VPN Issue

I have decommissioned a SBS2003 and migrated to SBS2008, when our users try and vpn we are getting an error. I have checked that the Administrator has dialin access.
It opens the port but then displays this error
Error 649: The account does not have permission to dial in.
This is in the system event log
The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error

Open in new window

ruztechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bignewfCommented:
have you checked the authentication in th ewindows vpn client ie  ms-chap, mschap v2, ppp  to see if it matches the policy on the rras server?  this is where i would start troubleshooting
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bignewfCommented:
Also, check for password expiration, domain credentials.
please post output from windows event log on both rras server and client

thanks
0
ruztechAuthor Commented:
yes it seems to match the rras server settings both ms-chap and mschap v2 are enabled on vpn client and server
0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

ruztechAuthor Commented:
This is the message from the server event log
The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

I have no error on my xp workstaton that is trying to vpn.  I am using the Administrator account which has dial in permission. Account is set to never expire. Can you tell me how to post output from client?
0
bignewfCommented:
windows event viewer: look in application and system logs
right-click on my computer>manage>event viewer. You can filter for errors
did you check the authentication on the client for a match in the RRAS profile?
0
bignewfCommented:
Also, try this:
Check PPTP filtering. For the test, disable PPTP filtering on the server (Net Stop RASPPTPF), and see if you can establish a non-filtered connection
0
bignewfCommented:
0
bignewfCommented:
Also, forgot to add:

check to see if port 1723 is open on the remote users's router (inbound and outbound), and on the firewall if the rras server sits behind it
Also, protocol 47 (not port) needs to be open also
0
ruztechAuthor Commented:
Tried to run "Net Stop RASPPTPF" but get the following error
system error 1060 has occurred. Is there another method to stop this servive.
0
bignewfCommented:
you can disable the service then re-enable and restart manually, or set service for manuall startup after reboot
0
ruztechAuthor Commented:
VPN was working on the 2003 SBS so I believe the router is configured correctly (we pointed the ports to the new server ip address). I should also mention that when I setup the vpn service on SBS2008 vpn worked for the Administrator. However a day or so later it has stopped working. A user added a certificate which is the only slight change that has been installed and I cannot say if it is causing the issue. Thank you for your help so far bignewf. I have not been able to find the service RASPPTPF anywhere. Does this exist on SBS2008?
0
bignewfCommented:
Have you tried removing the cert and try reconnecting? that could cause a credential/authentication mismatch.
0
ruztechAuthor Commented:
I have tried stopping the cert service but that did not help any, I will request the user to remove the cert and test again.
0
ruztechAuthor Commented:
We have now got it working. thanks for all your help bignewf you pointed us in the right direction.

On the vpn client had to setup the following settings
Security tab > Advanced > Settings > Logon security > use extensible authentication protocol > protected EAP (PEAP) (encryption enabled) > Proprerties > uncheck validate server certificate (this is checked by default) > Select Authentication method > Secured password (EAP-MSCHAP v2)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.