Handheld device remote networking issues into RAS

Discussion in 'Server Networking' started by nosurfdj, Jan 20, 2006.

  1. nosurfdj

    nosurfdj Guest

    We have a bunch of NEC MobilePros, mainly 770, 780, 790s that remote users
    use to dial in to our RAS server.
    Everything was working fine until we moved RAS to a Windows 2003 server,
    from a NT Server.
    The handhelds will dial and connect to the server, but as soon as that
    happens there is a message displayed on the handhelds that says:
    responding to authentication challenge

    Another window pops up almost simultaneously that says:
    Disconnected.

    I checked the event log on the server and found this warning event:
    Source-Remote Access
    Event ID 20187
    The user domain\user failed an authentication attempt due to the following
    reason: The user could not be authenticated using Challenge Handshake
    Authentication Protocol (CHAP). A reversibly encrypted password does not
    exist for this user account. To ensure that reversibly encrypted passwords
    are enabled, check either the domain password policy or the password settings
    on the user account.

    There is another event right after it, same source
    Event ID 20014
    The user domain\user has connected and failed to authenticate on port COM1.
    The line has been disconnected.

    I don't understand why I'm getting this second event. I've created a policy
    in Routing and Remote Access to allow the group that the account is in to be
    granted
    remote access permission.
    And in regard to the first event, I don't understand why CHAP won't
    work-I've enabled the policy to allow CHAP authentication, as well as others.

    I've also checked some of the logs on the server and found some information,
    but I haven't found much information on it and what it means exactly.

    from RASAUTH log
    [4056] 10:35:31:668: IASResponse = 2, FailureReason = 0x13

    from RASCHAP log
    [3184] 01-10 10:35:31:637: CS_ChallengeSent...
    [3184] 01-10 10:35:31:668: ChapMakeMessage,RBuf=00000000
    [3184] 01-10 10:35:31:668: Result=691,Tries=2
    [3184] 01-10 10:35:31:668: CS_Done...

    FROM IASSAM log
    [4056] 01-10 10:35:31:668: LogonUser failed: The specified directory service
    attribute or value does not exist.

    from PPP log
    3184] 01-10 10:35:31:668: Auth Protocol c223 terminated with error 691

    from RASMAN
    Disconnecting Port 0xCOM1, reason 0

    In Active Directory, I've also disabled 2 settings that could cause problems:
    computer config/windows settings/security settings/local policies/security
    option
    Microsoft network server: digitally sign communications (always)
    Microsoft network client: digitally sign communications (always)

    I understand that there is also a setting in AD that will store all
    passwords with reversible encryption, but it is considered a security risk.
    I haven't tried changing this setting and then dialing in. I hope there's
    other options.

    Any help is appreciated.
     
    nosurfdj, Jan 20, 2006
    #1
    1. Advertisements

  2. nosurfdj

    Bill Grant Guest

    The message you quote tells you why CHAP isn't working. It needs the
    reversibly encrypted password option. This is off by default in server 2003.
     
    Bill Grant, Jan 21, 2006
    #2
    1. Advertisements

  3. nosurfdj

    nosurfdj Guest

    I know what setting you are talking about in AD to store all passwords in the
    domain with reversible encryption. I've read articles that this can be a big
    security risk because the passwords of all users would be stored in plain
    text. If this is the only way to make it work, then that's what I have to
    do. I was hoping that there might be other options.

     
    nosurfdj, Jan 23, 2006
    #3
  4. nosurfdj

    nosurfdj Guest

    I set "Store password using reverisble encryption for all users in the
    domain" on the default domain policy-this setting is found in
    computer/security/account polcies/password policy.
    I then tested one of the handhelds, and I was not able to connect. Same
    thing happened that always happened.
    Am I setting it in the wrong location?

     
    nosurfdj, Jan 23, 2006
    #4
  5. nosurfdj

    Bill Grant Guest

    No, you do not need to use the policy to have every user in the domain
    use reversibly encrypted passwords. You can use the second option suggested
    in the error message, of setting it in the password options of the user
    account (for just the users who need this option).

    The basic essential is that the users who need to connect from handhelds
    using CHAP must have reversibly encrypted passwords.
     
    Bill Grant, Jan 24, 2006
    #5
  6. nosurfdj

    nosurfdj Guest

    I think I know what you're referring to. If you open the user account, under
    the Account tab you can choose to store that user's password with reversible
    encryption. That didn't work either.

     
    nosurfdj, Jan 24, 2006
    #6
  7. nosurfdj

    nosurfdj Guest

    Found the solution:
    Turned off EAP and MSChap v2 on the RAS server.
    Then had to set a registry key on the RAS server:
    HKLM\system\currentcontrolset\services\remoteaccess\policy
    set Allow LM Authentication = 1

     
    nosurfdj, Jan 27, 2006
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.