Solved

VPN Issue

Posted on 2009-07-14
14
1,306 Views
Last Modified: 2012-05-07
I have decommissioned a SBS2003 and migrated to SBS2008, when our users try and vpn we are getting an error. I have checked that the Administrator has dialin access.
It opens the port but then displays this error
Error 649: The account does not have permission to dial in.
This is in the system event log
The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error

Open in new window

0
Comment
Question by:ruztech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 15

Accepted Solution

by:
bignewf earned 125 total points
ID: 24854939
have you checked the authentication in th ewindows vpn client ie  ms-chap, mschap v2, ppp  to see if it matches the policy on the rras server?  this is where i would start troubleshooting
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24854951
Also, check for password expiration, domain credentials.
please post output from windows event log on both rras server and client

thanks
0
 

Author Comment

by:ruztech
ID: 24854983
yes it seems to match the rras server settings both ms-chap and mschap v2 are enabled on vpn client and server
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:ruztech
ID: 24855037
This is the message from the server event log
The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

I have no error on my xp workstaton that is trying to vpn.  I am using the Administrator account which has dial in permission. Account is set to never expire. Can you tell me how to post output from client?
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24855106
windows event viewer: look in application and system logs
right-click on my computer>manage>event viewer. You can filter for errors
did you check the authentication on the client for a match in the RRAS profile?
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24855121
Also, try this:
Check PPTP filtering. For the test, disable PPTP filtering on the server (Net Stop RASPPTPF), and see if you can establish a non-filtered connection
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24855131
0
 
LVL 15

Assisted Solution

by:bignewf
bignewf earned 125 total points
ID: 24855158
Also, forgot to add:

check to see if port 1723 is open on the remote users's router (inbound and outbound), and on the firewall if the rras server sits behind it
Also, protocol 47 (not port) needs to be open also
0
 

Author Comment

by:ruztech
ID: 24855196
Tried to run "Net Stop RASPPTPF" but get the following error
system error 1060 has occurred. Is there another method to stop this servive.
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24855205
you can disable the service then re-enable and restart manually, or set service for manuall startup after reboot
0
 

Author Comment

by:ruztech
ID: 24855360
VPN was working on the 2003 SBS so I believe the router is configured correctly (we pointed the ports to the new server ip address). I should also mention that when I setup the vpn service on SBS2008 vpn worked for the Administrator. However a day or so later it has stopped working. A user added a certificate which is the only slight change that has been installed and I cannot say if it is causing the issue. Thank you for your help so far bignewf. I have not been able to find the service RASPPTPF anywhere. Does this exist on SBS2008?
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24855390
Have you tried removing the cert and try reconnecting? that could cause a credential/authentication mismatch.
0
 

Author Comment

by:ruztech
ID: 24855454
I have tried stopping the cert service but that did not help any, I will request the user to remove the cert and test again.
0
 

Author Comment

by:ruztech
ID: 24966578
We have now got it working. thanks for all your help bignewf you pointed us in the right direction.

On the vpn client had to setup the following settings
Security tab > Advanced > Settings > Logon security > use extensible authentication protocol > protected EAP (PEAP) (encryption enabled) > Proprerties > uncheck validate server certificate (this is checked by default) > Select Authentication method > Secured password (EAP-MSCHAP v2)
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Internet Connection -- PING testing ? 1 88
Remote Desktop Services in AWS 4 51
Port# 500 and 4500 not open by ISP 10 85
RDP exploit 13 18
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question