We help IT Professionals succeed at work.

2008 SBS VPN connection Issues

trippa666au
trippa666au asked
on
Have a client with 2008 SBS Server
Setting up PPTP VPN through the SBS

1 user can access the VPN no problems
All the others cannot connect with the error in the screen shot

Have checked that users are members of VPN group

Have tried the user who can on the same remote PC's that users who cannot connect and it works fine so not a Firewall or external issue

Help  ?? Cheers

screen01.png
Comment
Watch Question

Top Expert 2013

Commented:
Have you checked the box "user can access virtual private network" in the window SBS console under users for each user?

Should be set automatically but also make sure in active directory under the user's profile, on the dial-up" page that deny is not selected.

Author

Commented:
Yes have checked this in both SBS console and AD
Top Expert 2013

Commented:
Very odd.
691 errors (permission related) are often mis-reported as 734's. Also where you can connect with 1 user account and no other from the same PC, site, and VPN client, it would point to permission issue.
The only other one that comes to mind right away is; are the users also members of the "Domain User Group"? They need to be to meet the default NPS policy conditions.

Author

Commented:
Thanks RobWill
Ok have checked that the user/s who cannot access VPN have exactly the same groups and setting in AD to the user who can access VPN

Have reset passwords..again

Still no luck....

Under Dial-in its set to "Control access through NPS Netowrk policy"
Does changing this to "Allow access" have any consequences ?

Anyone else have any suggestions ??
Top Expert 2013

Commented:
Same groups is important, but they do need to be applied with the Permissions wizards from the Windows SBS console under users. You mentioned you did this.

Changing to "allow" is fine, but assuming the SBS wizard, and not the RRAS wizard was used "Control access through NPS Network policy" should be fine. May be good to try switching one as a test as this will override one of the NPS policies.

I assume then they cannot log in to the VPN from the same LAN as the SBS using it's LAN IP rather than the public IP, either?

Can other domain admins log on?
Top Expert 2013

Commented:
ps- the other thought would be to review the NPS polcies themselves to verify they are correct.
Under the NPS policy management console there should be 2 primary poicies with the following options:
General Connection Authorization Policy:
  Overview:
    policy enabled
    grant access
   Ignore account dial in properties
   Terminal server gateway
 Conditions:
    NAS port type Virtual(VPN)
    User GRoups Your\Domain\DomainUsers
    Called Station ID
Top Expert 2013

Commented:
Sorry Hit enter by mistake.
Where one user can connect, these are all likely in place and working but these are user and location restriction policies. If they have been modified thy can affect access by specific users, groups, or IP's.

General Connection Authorization Policy:
  Overview:
    policy enabled
    grant access
   Ignore account dial in properties
   Terminal server gateway
 Conditions:
    NAS port type Virtual(VPN)
    User Groups Your\Domain\DomainUsers
    Called Station ID UserAuthType(SCPW)
 Settings make sure under NAP enforcement Allow full network access is checked

Virtual Private Network (VPN) Access policy [Primary VPN policy]:
General Connection Authorization Policy:
  Overview:
    policy enabled
    grant access
   Ignore account dial in properties
   Remote Access Server (VPN DialUp)
 Conditions:
    NAS port type Virtual(VPN)
    User GRoups Your\Domain\Windows SBS Virtual Private Network Users
    Called Station ID UserAuthType(SCPW)
 Settings make sure under NAP enforcement Allow full network access is checked as well as Enable auto-remediation of client computers






Ok so turns out it was a conflict with the router which also had VPN PPTP protocol enabled.

Thanks for all your suggestions...I learnt a bit about SBS VPN permissions so not all time wasted

Cheers
Top Expert 2013

Commented:
Having PPTP services enabled on the router will definitely cause conflicts but very odd one user could connect, unless that same user was set up on the router.
As per your comments, no need to award points, but it is very much appreciated  that you posted your findings.
Cheers!
--Rob