Solved

VPN clients can't connect - Error 812

Posted on 2013-06-28
9
19,797 Views
Last Modified: 2013-07-01
Hi there,

We recently migrated one of our client's server from SBS2008 to Server Essentials 2012. The SBS used to manage the VPN connections but now the new policy we've created on Essentials 2012 doesn't seem to be allowing any connections. Windows clients receive the following error:

Error 812 : The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

We've confirmed all necessary ports are open on the firewall (though the error message indicates to me that it's more of a policy issue rather than establishing a connection) and also tried connecting to VPN from the LAN to the server's local IP and received the same error.

We've confirmed that the user accounts connecting are in the VPN access group that we've specified in the policy, we have deleted all NPS policies and started from scratch, we have also confirmed that the static range / pool has been set.

After a failed connection attempt, the following error shows in the event viewer under System on the server with Event ID 20271
"The user ##### connected from 192.168.#.# but failed an authentication attempt due to the following reason: The connection could not be established because the authentication method used by your connection profile is not permitted for use by an access policy configured on the RAS/VPN server. Specifically, this could be due to configuration differences between the authentication method selected on the RAS/VPN server and the access policy configured for it.
"
See screenshots of policy configuration below
NPS1NPS2NPS3NPS4NPS5NPS6NPS7NPS8NPS9
0
Comment
Question by:StarrateIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 22

Expert Comment

by:Patrick Bogers
ID: 39283843
Hi,

The error is very straightforward, there are different protocols used to communicate. Did you set up the new server to use radius or ....? Please make sure both sides speak the same language.

Oh last minutes brainwave.. do the users have dial-in rights? and secondly i am curious; in your RRAS management toolbox did you edit "Connections to Microsoft Routing and Remote Access Server" (if not RRAS connections are not possible)
0
 

Author Comment

by:StarrateIT
ID: 39284291
Thanks Patricksr1972,
New server is not RADIUS. I've tried matching the authentication protocols but it still doesn't come right. User has dial in access granted. Can you please elaborate/advise on " edit "Connections to Microsoft Routing and Remote Access Server"". I've looked through the RRAS console and can't see anything out of place.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39284489
Did you use the Essentials console wizard to create the VPN?  You should rather than using RRAS.  If so I have found though the 812 error implies it is a server issue, it can be the wrong protocol configuration on the client.

3 'things' I would check:
-Make sure in the user's properties in the Essentuals console they have the ability to connect to the VPN checked
-On the connecting client, under VPN properties, Security, make sure "allow these protocols" and "MS Chap v2" are checked
-On the same tab, try selecting PPTP as the VPN type rather than automatic.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:StarrateIT
ID: 39284624
Thanks for your reply,

I used the wizard.to create it and have checked those 3 items a number of times but still have the problem
0
 
LVL 22

Expert Comment

by:Patrick Bogers
ID: 39284655
Hi Again,

RRAS -> Remote Access Policies is what is was talking about.
Should look like this.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39284804
That is interesting (RRAS policy).  That is the default policy created if you build the VPN using RRAS (or the RRAS wizard), rather than the Essentials wizard.  If you right click on "Remote Access Policies) you should not have a properties option butt rather an option to "launch NPS".  you could try right clicking on the server name in RRAS and choose disable, which should unconfigure RRAS, and then use the Essentials wizard under Anywhere Access in the console.

2011 Essentiasl didn't have the wizard and you had to do it manually.  I bloged about it.  I don't recomend using this method to configure it on 2012, but you could review it to compare configurations, they are very similar.
http://blog.lan-tech.ca/2012/01/28/sbs-2011-essentials-configuring-vpn-access/
0
 

Author Comment

by:StarrateIT
ID: 39286278
I deleted the ones that were created by the wizard as we had the same issue before when the wizard ones were there (812 Error and same errors in event viewer) and recreated the policies from scratch following another blog which suggested this as a resolution.
Once recreated the same 812 error was there as before when the wizard had created the policies.

Can we re-run the wizard how do we do this? (Do you think this would have any effect?)
When you say have you made sure the users have dial-in access what do you mean? (As we have created a group (remote access) which is in the policy to have granted access which the users are appart of this group, we have not set the activities directory properties for the user as this is normally ignored and the NPS policy is applied?)
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 39288533
It sounds like you are configuring, editing, and modifying policies within RRAS.  Esentials has policies forcing the use of NPS which cannot be configured within RRAS.

As mentioned I would diable RRAS in the RRAS console.  This will effectively uninstall it.  Then go to the Windows Server 2012 Essentials Dashboard, under the home page click "Set up Anywhere Access".   (Or from Settings, Anywhere Access, Configure).  You can see details in the following link:
http://technet.microsoft.com/en-us/library/jj635063.aspx
This configures RRAS, NPS, and sets RRAS to use NPS policies.  You then, in the dashboard, go to Users, right click on a user and choose "view the account properties", select the Anywhere Access tab, and check the box "allow Virtual Private Network (VPN)".
This adds the User to the appropriate group authorized by NPS.
0
 

Author Closing Comment

by:StarrateIT
ID: 39292281
We have rerun the wizard and it seems to be working properly now. Thanks everyone for all your help.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question