VPN Authentication error 691

Discussion in 'Windows Small Business Server' started by Piper Alpha, May 17, 2005.

  1. Piper Alpha

    Piper Alpha Guest

    SBS 2003 Standard 1 NIC. When a user tries to open a VPN connection to the
    SBS server they get the following : Error 691, Access was denied because the
    username and/or password was invalid on the domain. I have performed the
    following troubleshooting tasks.
    Created new user called remote1 using mobile user template.
    Re-ran CEICW
    Re-ran remote access wizard
    Set up connection on the SBS machine - same result, even using administrator
    account.
    Set up connection on LAN PC - same result as above

    The following RRAS events appear
    Event Type: Warning
    Event Source: RemoteAccess
    Event Category: None
    Event ID: 20014
    Date: 17/05/2005
    Time: 14:06:42
    User: N/A
    Computer: JRSBS
    Description:
    The user JRE.LOCAL\remote1 has connected and failed to authenticate on port
    VPN4-3. The line has been disconnected.



    Event Type: Warning
    Event Source: RemoteAccess
    Event Category: None
    Event ID: 20189
    Date: 17/05/2005
    Time: 14:06:42
    User: N/A
    Computer: JRSBS
    Description:
    The user JRE.LOCAL\remote1 connected from 10.0.0.5 but failed an
    authentication attempt due to the following reason: %%4145

    Does anyone know what the 4145 refers to?

    Piper Alpha
     
    Piper Alpha, May 17, 2005
    #1
    1. Advertisements

  2. Piper Alpha

    Crina Li Guest

    Hi Piper,

    Thank you for posting in SBS newsgroup.

    From the description, I understand that one user cannot establish the VPN
    connection to the SBS server from external network. The connections were
    dropped during verifying the username and password procedure.

    SBS does not support VPN Server on a single NIC based machine. Since the
    SBS has only one NIC, it is unsafe to connect it to the internal network
    and the external network at the same time to work as a VPN server. For a
    single NIC based SBS, a general network diagram is that there is a
    firewall/router outside the SBS. If so, we should enable the VPN server on
    the Firewall/Router.

    If you want to use VPN on the SBS, please add another NIC to SBS.

    In addition, I would like to provide the following information for your
    reference. However, these steps are not officially supported since it is
    on a single NIC SBS.

    1. Make sure the user has the permission to access the server from network:

    1) Click Start, point to Adminitrative Tools and click Domain Controller
    Security Policy.
    2) Expand Local Policies and click User Rights Assignment.
    3) Double-click "Access this computer from network" on the right pane.
    4) If the user is not listed, click Add to add the user.
    5) Make sure the user is not in the list for "Deny Access to this computer
    from the network".
    6) Run the "gpupdate /force" command to refresh the policies.
    7) Try to connect from the user.

    2. Reset the password for the user.
    3. Please following the steps of the KB article:

    826157 "Error 691" Error Message When You Log On to a Windows Server
    2003-Based
    http://support.microsoft.com/?id=826157

    4. Strictly follow the instructions in the following KB articles to
    configure TCP/IP and then run ICW:

    309633 How to Configure a SBS for Full Time Internet Access with a Single
    http://support.microsoft.com/?id=309633

    5. Verify the settings in the Local Policy of the SBS/VPN server:

    1) Open Adminitrative Tools | Local Security Policy
    2) Point to Local Policies | User Rights Assignment
    3) Double click "Access this computer from network", make sure this user
    has the permission.

    6. Open Services MMC, and then double check if the Netlogon service is
    started. Without this service started, there is was no way for the RRAS
    server to authenticate the user.
    7. Check if the user is denied dial-in access. I suggest that check the
    following settings:

    1) Open AD user & computer mmc, and right click the
    User->Properties->Dial-in, and then select "Allow access".
    2) Click OK to confirm

    Also, I suggest that you check if there is any other policy other than
    default policy "Allow access if dial-in permission is enabled" is listed in
    IAS mmc. If not, please remove other policy to test the situation.

    I suggest that you refer to the following article for more related
    information:

    317588.KB.EN-US HOW TO: Configure a Primary Internet Authentication Service
    Server on a
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;317588

    323415.KB.EN-US HOW TO: Set Up Routing and Remote Access for an Intranet in
    Windows
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;323415

    Hope the information help.


    Best regards,

    Crina Li (MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    | Thread-Topic: VPN Authentication error 691
    || From: "=?Utf-8?B?UGlwZXIgQWxwaGE=?="
    <>
    | Subject: VPN Authentication error 691
    | Date: Tue, 17 May 2005 06:48:02 -0700
    | | Newsgroups: microsoft.public.windows.server.sbs
    |
    | SBS 2003 Standard 1 NIC. When a user tries to open a VPN connection to
    the
    | SBS server they get the following : Error 691, Access was denied because
    the
    | username and/or password was invalid on the domain. I have performed the
    | following troubleshooting tasks.
    | Created new user called remote1 using mobile user template.
    | Re-ran CEICW
    | Re-ran remote access wizard
    | Set up connection on the SBS machine - same result, even using
    administrator
    | account.
    | Set up connection on LAN PC - same result as above
    |
    | The following RRAS events appear
    | Event Type: Warning
    | Event Source: RemoteAccess

    | Event Category: None
    | Event ID: 20014
    | Date: 17/05/2005

    | Time: 14:06:42
    | User: N/A
    | Computer: JRSBS
    | Description:
    | The user JRE.LOCAL\remote1 has connected and failed to authenticate on
    port
    | VPN4-3. The line has been disconnected.

    |
    |
    |
    | Event Type: Warning
    | Event Source: RemoteAccess

    | Event Category: None
    | Event ID: 20189
    | Date: 17/05/2005

    | Time: 14:06:42
    | User: N/A
    | Computer: JRSBS
    | Description:
    | The user JRE.LOCAL\remote1 connected from 10.0.0.5 but failed an
    | authentication attempt due to the following reason: %%4145
    |
    | Does anyone know what the 4145 refers to?
    |
    | Piper Alpha
    |
     
    Crina Li, May 18, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.