Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 20748
  • Last Modified:

VPN clients can't connect - Error 812

Hi there,

We recently migrated one of our client's server from SBS2008 to Server Essentials 2012. The SBS used to manage the VPN connections but now the new policy we've created on Essentials 2012 doesn't seem to be allowing any connections. Windows clients receive the following error:

Error 812 : The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

We've confirmed all necessary ports are open on the firewall (though the error message indicates to me that it's more of a policy issue rather than establishing a connection) and also tried connecting to VPN from the LAN to the server's local IP and received the same error.

We've confirmed that the user accounts connecting are in the VPN access group that we've specified in the policy, we have deleted all NPS policies and started from scratch, we have also confirmed that the static range / pool has been set.

After a failed connection attempt, the following error shows in the event viewer under System on the server with Event ID 20271
"The user ##### connected from 192.168.#.# but failed an authentication attempt due to the following reason: The connection could not be established because the authentication method used by your connection profile is not permitted for use by an access policy configured on the RAS/VPN server. Specifically, this could be due to configuration differences between the authentication method selected on the RAS/VPN server and the access policy configured for it.
"
See screenshots of policy configuration below
NPS1NPS2NPS3NPS4NPS5NPS6NPS7NPS8NPS9
0
StarrateIT
Asked:
StarrateIT
  • 4
  • 3
  • 2
1 Solution
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi,

The error is very straightforward, there are different protocols used to communicate. Did you set up the new server to use radius or ....? Please make sure both sides speak the same language.

Oh last minutes brainwave.. do the users have dial-in rights? and secondly i am curious; in your RRAS management toolbox did you edit "Connections to Microsoft Routing and Remote Access Server" (if not RRAS connections are not possible)
0
 
StarrateITAuthor Commented:
Thanks Patricksr1972,
New server is not RADIUS. I've tried matching the authentication protocols but it still doesn't come right. User has dial in access granted. Can you please elaborate/advise on " edit "Connections to Microsoft Routing and Remote Access Server"". I've looked through the RRAS console and can't see anything out of place.
0
 
Rob WilliamsCommented:
Did you use the Essentials console wizard to create the VPN?  You should rather than using RRAS.  If so I have found though the 812 error implies it is a server issue, it can be the wrong protocol configuration on the client.

3 'things' I would check:
-Make sure in the user's properties in the Essentuals console they have the ability to connect to the VPN checked
-On the connecting client, under VPN properties, Security, make sure "allow these protocols" and "MS Chap v2" are checked
-On the same tab, try selecting PPTP as the VPN type rather than automatic.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
StarrateITAuthor Commented:
Thanks for your reply,

I used the wizard.to create it and have checked those 3 items a number of times but still have the problem
0
 
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi Again,

RRAS -> Remote Access Policies is what is was talking about.
Should look like this.
0
 
Rob WilliamsCommented:
That is interesting (RRAS policy).  That is the default policy created if you build the VPN using RRAS (or the RRAS wizard), rather than the Essentials wizard.  If you right click on "Remote Access Policies) you should not have a properties option butt rather an option to "launch NPS".  you could try right clicking on the server name in RRAS and choose disable, which should unconfigure RRAS, and then use the Essentials wizard under Anywhere Access in the console.

2011 Essentiasl didn't have the wizard and you had to do it manually.  I bloged about it.  I don't recomend using this method to configure it on 2012, but you could review it to compare configurations, they are very similar.
http://blog.lan-tech.ca/2012/01/28/sbs-2011-essentials-configuring-vpn-access/
0
 
StarrateITAuthor Commented:
I deleted the ones that were created by the wizard as we had the same issue before when the wizard ones were there (812 Error and same errors in event viewer) and recreated the policies from scratch following another blog which suggested this as a resolution.
Once recreated the same 812 error was there as before when the wizard had created the policies.

Can we re-run the wizard how do we do this? (Do you think this would have any effect?)
When you say have you made sure the users have dial-in access what do you mean? (As we have created a group (remote access) which is in the policy to have granted access which the users are appart of this group, we have not set the activities directory properties for the user as this is normally ignored and the NPS policy is applied?)
0
 
Rob WilliamsCommented:
It sounds like you are configuring, editing, and modifying policies within RRAS.  Esentials has policies forcing the use of NPS which cannot be configured within RRAS.

As mentioned I would diable RRAS in the RRAS console.  This will effectively uninstall it.  Then go to the Windows Server 2012 Essentials Dashboard, under the home page click "Set up Anywhere Access".   (Or from Settings, Anywhere Access, Configure).  You can see details in the following link:
http://technet.microsoft.com/en-us/library/jj635063.aspx
This configures RRAS, NPS, and sets RRAS to use NPS policies.  You then, in the dashboard, go to Users, right click on a user and choose "view the account properties", select the Anywhere Access tab, and check the box "allow Virtual Private Network (VPN)".
This adds the User to the appropriate group authorized by NPS.
0
 
StarrateITAuthor Commented:
We have rerun the wizard and it seems to be working properly now. Thanks everyone for all your help.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now