Solved

VPN clients can't connect - Error 812

Posted on 2013-06-28
9
18,886 Views
Last Modified: 2013-07-01
Hi there,

We recently migrated one of our client's server from SBS2008 to Server Essentials 2012. The SBS used to manage the VPN connections but now the new policy we've created on Essentials 2012 doesn't seem to be allowing any connections. Windows clients receive the following error:

Error 812 : The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

We've confirmed all necessary ports are open on the firewall (though the error message indicates to me that it's more of a policy issue rather than establishing a connection) and also tried connecting to VPN from the LAN to the server's local IP and received the same error.

We've confirmed that the user accounts connecting are in the VPN access group that we've specified in the policy, we have deleted all NPS policies and started from scratch, we have also confirmed that the static range / pool has been set.

After a failed connection attempt, the following error shows in the event viewer under System on the server with Event ID 20271
"The user ##### connected from 192.168.#.# but failed an authentication attempt due to the following reason: The connection could not be established because the authentication method used by your connection profile is not permitted for use by an access policy configured on the RAS/VPN server. Specifically, this could be due to configuration differences between the authentication method selected on the RAS/VPN server and the access policy configured for it.
"
See screenshots of policy configuration below
NPS1NPS2NPS3NPS4NPS5NPS6NPS7NPS8NPS9
0
Comment
Question by:StarrateIT
  • 4
  • 3
  • 2
9 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39283843
Hi,

The error is very straightforward, there are different protocols used to communicate. Did you set up the new server to use radius or ....? Please make sure both sides speak the same language.

Oh last minutes brainwave.. do the users have dial-in rights? and secondly i am curious; in your RRAS management toolbox did you edit "Connections to Microsoft Routing and Remote Access Server" (if not RRAS connections are not possible)
0
 

Author Comment

by:StarrateIT
ID: 39284291
Thanks Patricksr1972,
New server is not RADIUS. I've tried matching the authentication protocols but it still doesn't come right. User has dial in access granted. Can you please elaborate/advise on " edit "Connections to Microsoft Routing and Remote Access Server"". I've looked through the RRAS console and can't see anything out of place.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39284489
Did you use the Essentials console wizard to create the VPN?  You should rather than using RRAS.  If so I have found though the 812 error implies it is a server issue, it can be the wrong protocol configuration on the client.

3 'things' I would check:
-Make sure in the user's properties in the Essentuals console they have the ability to connect to the VPN checked
-On the connecting client, under VPN properties, Security, make sure "allow these protocols" and "MS Chap v2" are checked
-On the same tab, try selecting PPTP as the VPN type rather than automatic.
0
 

Author Comment

by:StarrateIT
ID: 39284624
Thanks for your reply,

I used the wizard.to create it and have checked those 3 items a number of times but still have the problem
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 19

Expert Comment

by:Patricksr1972
ID: 39284655
Hi Again,

RRAS -> Remote Access Policies is what is was talking about.
Should look like this.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39284804
That is interesting (RRAS policy).  That is the default policy created if you build the VPN using RRAS (or the RRAS wizard), rather than the Essentials wizard.  If you right click on "Remote Access Policies) you should not have a properties option butt rather an option to "launch NPS".  you could try right clicking on the server name in RRAS and choose disable, which should unconfigure RRAS, and then use the Essentials wizard under Anywhere Access in the console.

2011 Essentiasl didn't have the wizard and you had to do it manually.  I bloged about it.  I don't recomend using this method to configure it on 2012, but you could review it to compare configurations, they are very similar.
http://blog.lan-tech.ca/2012/01/28/sbs-2011-essentials-configuring-vpn-access/
0
 

Author Comment

by:StarrateIT
ID: 39286278
I deleted the ones that were created by the wizard as we had the same issue before when the wizard ones were there (812 Error and same errors in event viewer) and recreated the policies from scratch following another blog which suggested this as a resolution.
Once recreated the same 812 error was there as before when the wizard had created the policies.

Can we re-run the wizard how do we do this? (Do you think this would have any effect?)
When you say have you made sure the users have dial-in access what do you mean? (As we have created a group (remote access) which is in the policy to have granted access which the users are appart of this group, we have not set the activities directory properties for the user as this is normally ignored and the NPS policy is applied?)
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 39288533
It sounds like you are configuring, editing, and modifying policies within RRAS.  Esentials has policies forcing the use of NPS which cannot be configured within RRAS.

As mentioned I would diable RRAS in the RRAS console.  This will effectively uninstall it.  Then go to the Windows Server 2012 Essentials Dashboard, under the home page click "Set up Anywhere Access".   (Or from Settings, Anywhere Access, Configure).  You can see details in the following link:
http://technet.microsoft.com/en-us/library/jj635063.aspx
This configures RRAS, NPS, and sets RRAS to use NPS policies.  You then, in the dashboard, go to Users, right click on a user and choose "view the account properties", select the Anywhere Access tab, and check the box "allow Virtual Private Network (VPN)".
This adds the User to the appropriate group authorized by NPS.
0
 

Author Closing Comment

by:StarrateIT
ID: 39292281
We have rerun the wizard and it seems to be working properly now. Thanks everyone for all your help.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits y…
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now