Solved

VPN Error 691

Posted on 2013-11-15
16
1,682 Views
Last Modified: 2014-07-25
I have found many articles referring to VPN Error 691 but no definitive answer. It is suggested by the error that username and/or password is invalid on the domain.  Here is some more information -

I recently took over from the IT Manager who copied his account to create mine, so I effectively have all the same permissions.  There is one specific to our VPN and I have made sure I am within this group.  I know the VPN is set up correctly because somebody took my laptop back to their house and tried their credentials and got on fine, they then tried mine and got the VPN 691 error.  Obviously I know my credentials to be fine (they work internally) but I have noticed the following security event on the server when it fails -

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/11/2013 12:25:37
Event ID:      4625
Task Category: Logon
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      UKHARINF01.goptions.local
Description:
An account failed to log on.

Subject:
      Security ID:            SYSTEM
      Account Name:            UKHARINF01$
      Account Domain:            GOPTIONS
      Logon ID:            0x3e7

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            tfurlong
      Account Domain:            GOPTIONS

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc000006a

Process Information:
      Caller Process ID:      0x174
      Caller Process Name:      C:\Windows\System32\svchost.exe

Network Information:
      Workstation Name:      
      Source Network Address:      -
      Source Port:            -

Detailed Authentication Information:
      Logon Process:            IAS
      Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2013-11-15T12:25:37.636644400Z" />
    <EventRecordID>83218808</EventRecordID>
    <Correlation />
    <Execution ProcessID="648" ThreadID="5256" />
    <Channel>Security</Channel>
    <Computer>UKHARINF01.goptions.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">UKHARINF01$</Data>
    <Data Name="SubjectDomainName">GOPTIONS</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">tfurlong</Data>
    <Data Name="TargetDomainName">GOPTIONS</Data>
    <Data Name="Status">0xc000006d</Data>
    <Data Name="FailureReason">%%2313</Data>
    <Data Name="SubStatus">0xc000006a</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">IAS</Data>
    <Data Name="AuthenticationPackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
    <Data Name="WorkstationName">
    </Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x174</Data>
    <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
  </EventData>
</Event>

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          15/11/2013 12:25:37
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      UKHARINF01.goptions.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  NULL SID
      Account Name:                  tfurlong
      Account Domain:                  GOPTIONS
      Fully Qualified Account Name:      GOPTIONS\tfurlong

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            -
      Calling Station Identifier:            -

NAS:
      NAS IPv4 Address:            192.168.2.250
      NAS IPv6 Address:            -
      NAS Identifier:                  -
      NAS Port-Type:                  -
      NAS Port:                  0

RADIUS Client:
      Client Friendly Name:            UKHARFW01
      Client IP Address:                  192.168.2.250

Authentication Details:
      Connection Request Policy Name:      Virtual Private Network (VPN) Connections
      Network Policy Name:            -
      Authentication Provider:            Windows
      Authentication Server:            UKHARINF01.goptions.local
      Authentication Type:            MS-CHAPv2
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  16
      Reason:                        Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6273</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2013-11-15T12:25:37.637644500Z" />
    <EventRecordID>83218809</EventRecordID>
    <Correlation />
    <Execution ProcessID="648" ThreadID="5256" />
    <Channel>Security</Channel>
    <Computer>UKHARINF01.goptions.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">tfurlong</Data>
    <Data Name="SubjectDomainName">GOPTIONS</Data>
    <Data Name="FullyQualifiedSubjectUserName">GOPTIONS\tfurlong</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">-</Data>
    <Data Name="CallingStationID">-</Data>
    <Data Name="NASIPv4Address">192.168.2.250</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">-</Data>
    <Data Name="NASPortType">-</Data>
    <Data Name="NASPort">0</Data>
    <Data Name="ClientName">UKHARFW01</Data>
    <Data Name="ClientIPAddress">192.168.2.250</Data>
    <Data Name="ProxyPolicyName">Virtual Private Network (VPN) Connections</Data>
    <Data Name="NetworkPolicyName">-</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">UKHARINF01.goptions.local</Data>
    <Data Name="AuthenticationType">MS-CHAPv2</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">16</Data>
    <Data Name="Reason">Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.</Data>
    <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
  </EventData>
</Event>


the only odd thing I noticed was that my username on my AD account was entered TFurlong (not tfurlong which I use) - though I would not see why that would make a difference.  Can anybody see anything obvious from those logs?

thanks
0
Comment
Question by:fuzzyfreak
  • 8
  • 8
16 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
A 691 error is often mis-reported at a username or password error, but in fact it is an authentication error, though that can be due to an incorrect username or password, it can also be a result of blocked GRE protocol.  Since you say the VPN works for others that would imply the problem is the device with which you are connecting, but you say the laptop was tested, or the site from which you are trying to connect.  In this case probably the latter.  

The problem could be due to the router (client site) does not support PPTP pass through, it is not enabled, or there are multiple NAT devices (routers) at the client site.
0
 
LVL 4

Author Comment

by:fuzzyfreak
Comment Utility
Thanks. I opened the PPTP Ports (TCP 1723 to UDP 1723) and IPSEC-IKE (TCP 500 to 500UDP, UDP 500 TO UDP 500, TCP 4500 to UDP 4500, UDP 4500 to UDP 4500) -

"I then got an error Error 734: The PPP Link Control Protocol Was Terminated" so I tried opening the L2TP port 1701 but still get the 734 error - am I getting close?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
What type of VPN is it; PPTP, L2TP, IPsec, SSTP?  691 is usually PPTP.  If so none of those allow GRE.

PPTP uses port 1723 TCP, GRE the second phase, authentication, which is protocol 47, there is no port association.  On most routers there is an option (this is client side) allow PPTP pass-through, which allows GRE.  Some routers don't support it at all.
0
 
LVL 4

Author Comment

by:fuzzyfreak
Comment Utility
It is an L2TP/IPSEC.

What is GRE?

Thanks
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
GRE is Generic Route Encapsulation,  which is used for authentication but only with PPTP, not applicable then.  If PPTP GRE is often the cause of 691 errors.  I am mobile right now I'll review your logs above when I get to a desk in a few hours.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
Reviewing the logs and event ID it is almost certainly an authentication issue.  This can be user name, password, group membership, domain name if required, or smart card pin if used.  However the error details imply an incorrect password.  Are you using any odd characters?  If so try changing your password to something simpler as a test.  You might also test the VPN from the LAN using the LAN IP of the server rather than the public IP, this assures it's not a router issue.

One other thing to check is under your account in active directory, on the "dial-in" tab, make sure you are not blocked from accessing, should be set to policy based or better still allowed.
0
 
LVL 4

Author Comment

by:fuzzyfreak
Comment Utility
Thanks Rob, I shall investigate further once I am in the office.  Thanks for the idea of using the LAN IP for testing, that will help a great deal. I am using an exclamation mark in my password, so will change that too.
0
 
LVL 4

Author Comment

by:fuzzyfreak
Comment Utility
I did note through the dial-in tab that under Network Access Permission, mine was set to Allow Access where-as others are set to Control Access through NPS Network Policy but I cannot see how that will affect it.  I have now changed my password to something simpler and also set up a new test account. Unfortunately I am not sure which internal IP I am supposed to point my VPN at - my DC or my Firewall?  Either way, after around two minutes, I get error 789.
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I have been assuming this a Windows VPN using RRAS based on the logs. Assuming so you want to use the LAN IP of the server running the RRAS service.

Thinking about it, I would be tempted to change the Dial-in tab setting to Control through NPS.  The logs show IAS is being used which is part of NPS and there could be qualifications you have to meet to authorize.
0
 
LVL 4

Author Comment

by:fuzzyfreak
Comment Utility
I now get Error 734: The PPP link control was terminated.

One thing I have noticed is that when using this tool http://www.yougetsignal.com/tools/open-ports/

and checking my external IP for port 1723 (PPTP Port) it says it is closed even though I have opened it in my BT Home Hub.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Port forwarding only needs to be configured on the server site router and it must be as others can connect.

On the connecting computer (home) the router needs to support LT2P and IPSec pass-through. As mentioned there is usually an option for VPN pass-through, or one for each; PPTP, L2TP, and IPSec.  This is not port forwarding or opening ports.

Have you done the test by trying to connect from the LAN to verify your account, user name and password, and group memberships are working.

If that works make sure that the home and business sites are using different subnets.  It appears the office uses 192.168.2.x, home must use something different such as 192.168.1.x

In reading about the BT home hub it appears it only supports a specific version of IPSec pass-through so it may not support your VPN connection at all.
0
 
LVL 4

Author Comment

by:fuzzyfreak
Comment Utility
Hi Rob, I resolved it late last night.  All I did was move my user account from the Administrators AD container into the Users one. I assume this relates to the network policy but will need to investigate.  Either way, thanks very much for your help, I'll Accept the solution that mentioned the fix once I have investigated.
0
 
LVL 4

Author Closing Comment

by:fuzzyfreak
Comment Utility
Thanks!
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I would check the allowed groups in the policies within the NPS console.
Thanks fuzzyfreak
0
 
LVL 4

Author Comment

by:fuzzyfreak
Comment Utility
No, it relates to group policy - that OU uses a different policy.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Understood, but the policy used usually defines the groups within NPS.  Each OU can use a different NPS policy, or maybe you have bypassed NPS.  Regardless glad to hear you have it working.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now