Solved

RRAS authentication on 2008 R2

Posted on 2011-09-29
3
1,554 Views
Last Modified: 2012-08-13
I'm having some trouble getting RRAS working on server 2008 R2 and was wondering if anyone had some insight.

RRAS installs correctly, I am able to connect but authentication fails with, and it just keeps asking for the password when trying to connect:
" The user <username removed> connected from <IP Removed> but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error."

Configuration information:
RRAS is installed on a domain controller with local Authentication. VPN client is connecting using standard PPTP, and I verified that RRAS authentication is enabled for MS-CHAP v2 (default), and NPS has a VPN access policy which allows access to users of the VPN group. I've added the user to the VPN group, and on his dial in permissions specified allowed (I've tried switching this around to policy based or just plain allow).

I can see the user hitting the correct policy using the logs.
192.168.1.25,<username removed>,09/29/2011,05:44:18,RAS,AKRON,44,10,32,AKRON,4,192.168.1.25,6,2,7,1,5,256,61,5,64,1,65,1,31,71.75.105.228,66,71.75.105.228,4108,192.168.1.25,4128,AKRON,8132,2,4147,311,4148,MSRASV5.20,4160,MSRASV5.20,4159,MSRAS-0-DIETER-PC,8158,{F0286BA4-E35D-4C92-ACA4-329DC62AB380},4154,VPN Access,4155,1,4129,<username removed>,4130,<username removed>,25,311 1 fe80::b160:3e62:cb72:cb8 09/16/2011 20:19:00 61,4127,4,4136,1,4142,0
192.168.1.25,<username removed>,09/29/2011,05:44:18,RAS,AKRON,44,10,25,311 1 fe80::b160:3e62:cb72:cb8 09/16/2011 20:19:00 61,4127,4,4130,<username removed>,4129,<username removed>,4155,1,4154,VPN Access,4136,3,4142,16
59,4127,4,4130,<username removed>,4129,<username removed>,4155,1,4154,VPN Access,4136,3,4142,16

This happens with all accounts (not just 1), and I verified the account login and passwords are correct and the account is not locked out. Pretty much all settings are defaults on the server, unless otherwise specified above.

I verified this isn't an issue with firewall, as local connections to the VPN server has the same issue.

Thanks,
Dieter
0
Comment
Question by:25BY7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 36928541
What are your clients running for an OS?

I've seen issues with FIPS encryption getting in the way, but I'm not certain in your case.

0
 

Accepted Solution

by:
25BY7 earned 0 total points
ID: 37008140
This was related to GPOs which raised the LM authentication level on the authentication server. Those had to be lowered to allow authentication to complete successfully.

0
 

Author Closing Comment

by:25BY7
ID: 37035286
Once the GPOs were updated, everything started working correctly.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question