Solved

VPN Issue

Posted on 2009-07-14
14
1,300 Views
Last Modified: 2012-05-07
I have decommissioned a SBS2003 and migrated to SBS2008, when our users try and vpn we are getting an error. I have checked that the Administrator has dialin access.
It opens the port but then displays this error
Error 649: The account does not have permission to dial in.
This is in the system event log

The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error

Open in new window

0
Comment
Question by:ruztech
  • 8
  • 6
14 Comments
 
LVL 15

Accepted Solution

by:
bignewf earned 125 total points
ID: 24854939
have you checked the authentication in th ewindows vpn client ie  ms-chap, mschap v2, ppp  to see if it matches the policy on the rras server?  this is where i would start troubleshooting
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24854951
Also, check for password expiration, domain credentials.
please post output from windows event log on both rras server and client

thanks
0
 

Author Comment

by:ruztech
ID: 24854983
yes it seems to match the rras server settings both ms-chap and mschap v2 are enabled on vpn client and server
0
 

Author Comment

by:ruztech
ID: 24855037
This is the message from the server event log
The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

I have no error on my xp workstaton that is trying to vpn.  I am using the Administrator account which has dial in permission. Account is set to never expire. Can you tell me how to post output from client?
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24855106
windows event viewer: look in application and system logs
right-click on my computer>manage>event viewer. You can filter for errors
did you check the authentication on the client for a match in the RRAS profile?
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24855121
Also, try this:
Check PPTP filtering. For the test, disable PPTP filtering on the server (Net Stop RASPPTPF), and see if you can establish a non-filtered connection
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24855131
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 15

Assisted Solution

by:bignewf
bignewf earned 125 total points
ID: 24855158
Also, forgot to add:

check to see if port 1723 is open on the remote users's router (inbound and outbound), and on the firewall if the rras server sits behind it
Also, protocol 47 (not port) needs to be open also
0
 

Author Comment

by:ruztech
ID: 24855196
Tried to run "Net Stop RASPPTPF" but get the following error
system error 1060 has occurred. Is there another method to stop this servive.
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24855205
you can disable the service then re-enable and restart manually, or set service for manuall startup after reboot
0
 

Author Comment

by:ruztech
ID: 24855360
VPN was working on the 2003 SBS so I believe the router is configured correctly (we pointed the ports to the new server ip address). I should also mention that when I setup the vpn service on SBS2008 vpn worked for the Administrator. However a day or so later it has stopped working. A user added a certificate which is the only slight change that has been installed and I cannot say if it is causing the issue. Thank you for your help so far bignewf. I have not been able to find the service RASPPTPF anywhere. Does this exist on SBS2008?
0
 
LVL 15

Expert Comment

by:bignewf
ID: 24855390
Have you tried removing the cert and try reconnecting? that could cause a credential/authentication mismatch.
0
 

Author Comment

by:ruztech
ID: 24855454
I have tried stopping the cert service but that did not help any, I will request the user to remove the cert and test again.
0
 

Author Comment

by:ruztech
ID: 24966578
We have now got it working. thanks for all your help bignewf you pointed us in the right direction.

On the vpn client had to setup the following settings
Security tab > Advanced > Settings > Logon security > use extensible authentication protocol > protected EAP (PEAP) (encryption enabled) > Proprerties > uncheck validate server certificate (this is checked by default) > Select Authentication method > Secured password (EAP-MSCHAP v2)
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now