Solved

VPN clients can't connect - Error 812

Posted on 2013-06-28
9
19,953 Views
Last Modified: 2013-07-01
Hi there,

We recently migrated one of our client's server from SBS2008 to Server Essentials 2012. The SBS used to manage the VPN connections but now the new policy we've created on Essentials 2012 doesn't seem to be allowing any connections. Windows clients receive the following error:

Error 812 : The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

We've confirmed all necessary ports are open on the firewall (though the error message indicates to me that it's more of a policy issue rather than establishing a connection) and also tried connecting to VPN from the LAN to the server's local IP and received the same error.

We've confirmed that the user accounts connecting are in the VPN access group that we've specified in the policy, we have deleted all NPS policies and started from scratch, we have also confirmed that the static range / pool has been set.

After a failed connection attempt, the following error shows in the event viewer under System on the server with Event ID 20271
"The user ##### connected from 192.168.#.# but failed an authentication attempt due to the following reason: The connection could not be established because the authentication method used by your connection profile is not permitted for use by an access policy configured on the RAS/VPN server. Specifically, this could be due to configuration differences between the authentication method selected on the RAS/VPN server and the access policy configured for it.
"
See screenshots of policy configuration below
NPS1NPS2NPS3NPS4NPS5NPS6NPS7NPS8NPS9
0
Comment
Question by:StarrateIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 23

Expert Comment

by:Patrick Bogers
ID: 39283843
Hi,

The error is very straightforward, there are different protocols used to communicate. Did you set up the new server to use radius or ....? Please make sure both sides speak the same language.

Oh last minutes brainwave.. do the users have dial-in rights? and secondly i am curious; in your RRAS management toolbox did you edit "Connections to Microsoft Routing and Remote Access Server" (if not RRAS connections are not possible)
0
 

Author Comment

by:StarrateIT
ID: 39284291
Thanks Patricksr1972,
New server is not RADIUS. I've tried matching the authentication protocols but it still doesn't come right. User has dial in access granted. Can you please elaborate/advise on " edit "Connections to Microsoft Routing and Remote Access Server"". I've looked through the RRAS console and can't see anything out of place.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39284489
Did you use the Essentials console wizard to create the VPN?  You should rather than using RRAS.  If so I have found though the 812 error implies it is a server issue, it can be the wrong protocol configuration on the client.

3 'things' I would check:
-Make sure in the user's properties in the Essentuals console they have the ability to connect to the VPN checked
-On the connecting client, under VPN properties, Security, make sure "allow these protocols" and "MS Chap v2" are checked
-On the same tab, try selecting PPTP as the VPN type rather than automatic.
0
Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

 

Author Comment

by:StarrateIT
ID: 39284624
Thanks for your reply,

I used the wizard.to create it and have checked those 3 items a number of times but still have the problem
0
 
LVL 23

Expert Comment

by:Patrick Bogers
ID: 39284655
Hi Again,

RRAS -> Remote Access Policies is what is was talking about.
Should look like this.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39284804
That is interesting (RRAS policy).  That is the default policy created if you build the VPN using RRAS (or the RRAS wizard), rather than the Essentials wizard.  If you right click on "Remote Access Policies) you should not have a properties option butt rather an option to "launch NPS".  you could try right clicking on the server name in RRAS and choose disable, which should unconfigure RRAS, and then use the Essentials wizard under Anywhere Access in the console.

2011 Essentiasl didn't have the wizard and you had to do it manually.  I bloged about it.  I don't recomend using this method to configure it on 2012, but you could review it to compare configurations, they are very similar.
http://blog.lan-tech.ca/2012/01/28/sbs-2011-essentials-configuring-vpn-access/
0
 

Author Comment

by:StarrateIT
ID: 39286278
I deleted the ones that were created by the wizard as we had the same issue before when the wizard ones were there (812 Error and same errors in event viewer) and recreated the policies from scratch following another blog which suggested this as a resolution.
Once recreated the same 812 error was there as before when the wizard had created the policies.

Can we re-run the wizard how do we do this? (Do you think this would have any effect?)
When you say have you made sure the users have dial-in access what do you mean? (As we have created a group (remote access) which is in the policy to have granted access which the users are appart of this group, we have not set the activities directory properties for the user as this is normally ignored and the NPS policy is applied?)
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 39288533
It sounds like you are configuring, editing, and modifying policies within RRAS.  Esentials has policies forcing the use of NPS which cannot be configured within RRAS.

As mentioned I would diable RRAS in the RRAS console.  This will effectively uninstall it.  Then go to the Windows Server 2012 Essentials Dashboard, under the home page click "Set up Anywhere Access".   (Or from Settings, Anywhere Access, Configure).  You can see details in the following link:
http://technet.microsoft.com/en-us/library/jj635063.aspx
This configures RRAS, NPS, and sets RRAS to use NPS policies.  You then, in the dashboard, go to Users, right click on a user and choose "view the account properties", select the Anywhere Access tab, and check the box "allow Virtual Private Network (VPN)".
This adds the User to the appropriate group authorized by NPS.
0
 

Author Closing Comment

by:StarrateIT
ID: 39292281
We have rerun the wizard and it seems to be working properly now. Thanks everyone for all your help.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question