VPN sometimes works and sometimes not - Error 691

Discussion in 'Windows Small Business Server' started by Stefan Schmidhammer, Feb 28, 2006.

  1. Hi NG,

    We have a SBS 2003 that works as a DC and a Windows Server 2003 with ISA
    Firewall 2004.
    VPN is enabled on the ISA Server and the users that should have access
    to the VPN are in the "Remote Users" or "Mobile Users" Group on the DC.

    Now we face this problem:
    If we start the ISA and the DC VPN works fine. Everybody can log in, no
    error messages or warnings.

    However after some time VPN stops working. We always get the Error 691:
    "Access denied because username and/or password is invalid on the domain."

    And after some time it starts working again!!

    Because the connection seems to work but the authentification fails I
    think the problem is on the SBS 2003.

    What could be the reason for this behaviour?

    regards
    Stefan
     
    Stefan Schmidhammer, Feb 28, 2006
    #1
    1. Advertisements

  2. Stefan Schmidhammer

    Crina Li Guest

    Hi Stefan,

    Thank you for posting in SBS newsgroup.

    From the description, I understand you have a SBS server and a Windows 2003
    server with ISA 2004 installed. And now you have enabled VPN on ISA server,
    do you mean you have enabled VPN on windows server 2003 not on SBS?

    To narrow down the problem, would you please help me collect the following
    information?

    1. Is Windows 2003 a member server on SBS domain? Are the following
    conditions true for SBS?

    1) Only one computer in a domain can be running Windows Small Business
    Server 2003.
    2) Windows Small Business Server 2003 must be the root of the Active
    Directory forest.
    3) Windows Small Business Server 2003 cannot trust any other domains.
    4) A Windows Small Business Server 2003 domain cannot have any child
    domains.
    5) Each additional computer running Windows Server 2003 must have a Windows
    Small Business Server 2003 client access license (CAL).
    6) A Windows Small Business Server 2003 domain can have no more than 75
    CALs. You can use CALs for each user or for each device.

    2. Are you creating VPN to SBS or Windows 2003?
    3. Open "Active Directory Users and Computers" on SBS, double click a user
    account. In the "Dial-in" label, please check if the "Allow access"
    permission is selected.
    4. Verify the settings in the Local Policy of the SBS/VPN server:

    1) Open Adminitrative Tools | Local Security Policy.
    2) Point to Local Policies | User Rights Assignment.
    3) Double click "Access this computer from network", make sure this user
    has the permission.

    5. Open Services MMC on SBS, and then double check if the Netlogon service
    is started. Without this service started, there is was no way for the RRAS
    server to authenticate the user.
    6. check the following KB to see if it helps:

    826157 "Error 691" Error Message When You Log On to a Windows Server
    2003-Based
    http://support.microsoft.com/?id=826157

    I appreciate your time and look forward to hearing from you.

    Best regards,

    Crina Li (MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    | Date: Tue, 28 Feb 2006 13:38:44 +0100
    | From: Stefan Schmidhammer <>
    | User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
    | X-Accept-Language: de-DE, de, en-us, en
    | MIME-Version: 1.0
    | Subject: VPN sometimes works and sometimes not - Error 691
    | Content-Type: text/plain; charset=ISO-8859-15; format=flowed
    | Content-Transfer-Encoding: 7bit
    | Message-ID: <>
    | Newsgroups: microsoft.public.windows.server.sbs
    | NNTP-Posting-Host: chello080109134164.tirol.surfer.at 80.109.134.164
    | Lines: 1
    | Path: TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
    | Xref: TK2MSFTNGXA03.phx.gbl microsoft.public.windows.server.sbs:248104
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | Hi NG,
    |
    | We have a SBS 2003 that works as a DC and a Windows Server 2003 with ISA
    | Firewall 2004.
    | VPN is enabled on the ISA Server and the users that should have access
    | to the VPN are in the "Remote Users" or "Mobile Users" Group on the DC.
    |
    | Now we face this problem:
    | If we start the ISA and the DC VPN works fine. Everybody can log in, no
    | error messages or warnings.
    |
    | However after some time VPN stops working. We always get the Error 691:
    | "Access denied because username and/or password is invalid on the domain."
    |
    | And after some time it starts working again!!
    |
    | Because the connection seems to work but the authentification fails I
    | think the problem is on the SBS 2003.
    |
    | What could be the reason for this behaviour?
    |
    | regards
    | Stefan
    |
     
    Crina Li, Mar 1, 2006
    #2
    1. Advertisements

  3. Hi Crina Li,

    I've checked all your points and the KB article and everything seems ok.
    We have only one domain and the two servers are part of it. Only one
    server is a SBS. The VPN server is installed on the windows server 2003
    and ISA created the firewall rules automatically.

    The strange thing is that it works, sometimes. There must be triggered
    some sort of limit or something else with the user authentification.
    However I don't think it's some user specified setting because if VPN
    stops working nobody can login with VPN, neither a administrator nor a user.

    Is it possible that the windows server 2003 looses connection to the
    active directory or cannot valid users anymore altough the network works
    completly fine?

    Stefan


    schrieb:
     
    Stefan Schmidhammer, Mar 2, 2006
    #3
  4. Stefan Schmidhammer

    Crina Li Guest

    Hi Stefan,

    Thanks for your update.

    Based on the information you provided, this should be an issue regarding
    Windows Server 2003. Please post it to
    Microsoft.public.windows.server.general newsgroup. The reason why we
    recommend posting appropriately is you will get the most qualified pool of
    respondents, and other partners who read the newsgroups regularly can
    either share their knowledge or learn from your interaction with us. Thanks
    for your understanding.

    Best regards,

    Crina Li (MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.

    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
    --------------------
    | Date: Thu, 02 Mar 2006 12:03:12 +0100
    | From: Stefan Schmidhammer <>
    | User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
    | X-Accept-Language: de-DE, de, en-us, en
    | MIME-Version: 1.0
    | Subject: Re: VPN sometimes works and sometimes not - Error 691
    | References: <>
    <>
    | In-Reply-To: <>
    | Content-Type: text/plain; charset=ISO-8859-15; format=flowed
    | Content-Transfer-Encoding: 7bit
    | Message-ID: <>
    | Newsgroups: microsoft.public.windows.server.sbs
    | NNTP-Posting-Host: chello080109134164.tirol.surfer.at 80.109.134.164
    | Lines: 1
    | Path: TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
    | Xref: TK2MSFTNGXA03.phx.gbl microsoft.public.windows.server.sbs:248727
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | Hi Crina Li,
    |
    | I've checked all your points and the KB article and everything seems ok.
    | We have only one domain and the two servers are part of it. Only one
    | server is a SBS. The VPN server is installed on the windows server 2003
    | and ISA created the firewall rules automatically.
    |
    | The strange thing is that it works, sometimes. There must be triggered
    | some sort of limit or something else with the user authentification.
    | However I don't think it's some user specified setting because if VPN
    | stops working nobody can login with VPN, neither a administrator nor a
    user.
    |
    | Is it possible that the windows server 2003 looses connection to the
    | active directory or cannot valid users anymore altough the network works
    | completly fine?
    |
    | Stefan
    |
    |
    | schrieb:
    | > Hi Stefan,
    | >
    | > Thank you for posting in SBS newsgroup.
    | >
    | > From the description, I understand you have a SBS server and a Windows
    2003
    | > server with ISA 2004 installed. And now you have enabled VPN on ISA
    server,
    | > do you mean you have enabled VPN on windows server 2003 not on SBS?
    | >
    | > To narrow down the problem, would you please help me collect the
    following
    | > information?
    | >
    | > 1. Is Windows 2003 a member server on SBS domain? Are the following
    | > conditions true for SBS?
    | >
    | > 1) Only one computer in a domain can be running Windows Small Business
    | > Server 2003.
    | > 2) Windows Small Business Server 2003 must be the root of the Active
    | > Directory forest.
    | > 3) Windows Small Business Server 2003 cannot trust any other domains.
    | > 4) A Windows Small Business Server 2003 domain cannot have any child
    | > domains.
    | > 5) Each additional computer running Windows Server 2003 must have a
    Windows
    | > Small Business Server 2003 client access license (CAL).
    | > 6) A Windows Small Business Server 2003 domain can have no more than 75
    | > CALs. You can use CALs for each user or for each device.
    | >
    | > 2. Are you creating VPN to SBS or Windows 2003?
    | > 3. Open "Active Directory Users and Computers" on SBS, double click a
    user
    | > account. In the "Dial-in" label, please check if the "Allow access"
    | > permission is selected.
    | > 4. Verify the settings in the Local Policy of the SBS/VPN server:
    | >
    | > 1) Open Adminitrative Tools | Local Security Policy.
    | > 2) Point to Local Policies | User Rights Assignment.
    | > 3) Double click "Access this computer from network", make sure this
    user
    | > has the permission.
    | >
    | > 5. Open Services MMC on SBS, and then double check if the Netlogon
    service
    | > is started. Without this service started, there is was no way for the
    RRAS
    | > server to authenticate the user.
    | > 6. check the following KB to see if it helps:
    | >
    | > 826157 "Error 691" Error Message When You Log On to a Windows Server
    | > 2003-Based
    | > http://support.microsoft.com/?id=826157
    | >
    | > I appreciate your time and look forward to hearing from you.
    | >
    | > Best regards,
    | >
    | > Crina Li (MSFT)
    | >
    | > Microsoft CSS Online Newsgroup Support
    | >
    | > Get Secure! - www.microsoft.com/security
    | >
    | > =====================================================
    | > This newsgroup only focuses on SBS technical issues. If you have issues
    | > regarding other Microsoft products, you'd better post in the
    corresponding
    | > newsgroups so that they can be resolved in an efficient and timely
    manner.
    | > You can locate the newsgroup here:
    | > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
    | >
    | > When opening a new thread via the web interface, we recommend you check
    the
    | > "Notify me of replies" box to receive e-mail notifications when there
    are
    | > any updates in your thread. When responding to posts via your
    newsreader,
    | > please "Reply to Group" so that others may learn and benefit from your
    | > issue.
    | >
    | > Microsoft engineers can only focus on one issue per thread. Although we
    | > provide other information for your reference, we recommend you post
    | > different incidents in different threads to keep the thread clean. In
    doing
    | > so, it will ensure your issues are resolved in a timely manner.
    | >
    | > For urgent issues, you may want to contact Microsoft CSS directly.
    Please
    | > check http://support.microsoft.com for regional support phone numbers.
    | >
    | > Any input or comments in this thread are highly appreciated.
    | >
    | > =====================================================
    | >
    | > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    | > --------------------
    | > | Date: Tue, 28 Feb 2006 13:38:44 +0100
    | > | From: Stefan Schmidhammer <>
    | > | User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
    | > | X-Accept-Language: de-DE, de, en-us, en
    | > | MIME-Version: 1.0
    | > | Subject: VPN sometimes works and sometimes not - Error 691
    | > | Content-Type: text/plain; charset=ISO-8859-15; format=flowed
    | > | Content-Transfer-Encoding: 7bit
    | > | Message-ID: <>
    | > | Newsgroups: microsoft.public.windows.server.sbs
    | > | NNTP-Posting-Host: chello080109134164.tirol.surfer.at 80.109.134.164
    | > | Lines: 1
    | > | Path: TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
    | > | Xref: TK2MSFTNGXA03.phx.gbl microsoft.public.windows.server.sbs:248104
    | > | X-Tomcat-NG: microsoft.public.windows.server.sbs
    | > |
    | > | Hi NG,
    | > |
    | > | We have a SBS 2003 that works as a DC and a Windows Server 2003 with
    ISA
    | > | Firewall 2004.
    | > | VPN is enabled on the ISA Server and the users that should have
    access
    | > | to the VPN are in the "Remote Users" or "Mobile Users" Group on the
    DC.
    | > |
    | > | Now we face this problem:
    | > | If we start the ISA and the DC VPN works fine. Everybody can log in,
    no
    | > | error messages or warnings.
    | > |
    | > | However after some time VPN stops working. We always get the Error
    691:
    | > | "Access denied because username and/or password is invalid on the
    domain."
    | > |
    | > | And after some time it starts working again!!
    | > |
    | > | Because the connection seems to work but the authentification fails I
    | > | think the problem is on the SBS 2003.
    | > |
    | > | What could be the reason for this behaviour?
    | > |
    | > | regards
    | > | Stefan
    | > |
    | >
    |
     
    Crina Li, Mar 3, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.