Windows 2003 RRAS - VPN - NT Users not authenticating

Hi,

I've got a Windows 2003 (R2) SP2 server. It has RRAS installed. I've set it
to be a VPN server.

It is joined to my active directory domain_A. Users within the active
directory domain_A can VPN in fine - works perfectly.

I've got users in another domain (NT domain_B). These users get error 691.
With RAS tracing in the log i can see that authentciation happens but then i
get the following problems:

[836] 07-21 17:20:55:609: NT-SAM Names handler received request with user
identity NT_DOMAIN_B\username.
[836] 07-21 17:20:55:609: Username is already an NT4 account name.
[836] 07-21 17:20:55:609: SAM-Account-Name is "NT_DOMAIN_B\username".
[836] 07-21 17:20:55:609: NT-SAM Authentication handler received request for
NT_DOMAIN_B\username.
[836] 07-21 17:20:55:609: Processing MS-CHAP v2 authentication.
[836] 07-21 17:20:55:625: LogonUser succeeded.
[836] 07-21 17:20:55:625: NT-SAM User Authorization handler received request
for NT_DOMAIN_B\username.
[836] 07-21 17:20:56:236: Failed to connect to the cached DC, try DC locator
....
[836] 07-21 17:21:11:265: Failed to connect to the DC discovered by DC
locator, try DC enumerator ...
[836] 07-21 17:21:11:265: Using downlevel dial-in parameters.
[836] 07-21 17:21:11:265: Could not open an LDAP connection to domain
NT_DOMAIN_B.
[836] 07-21 17:21:11:265: NTDomain::getConnection failed: No more data is
available.
[836] 07-21 17:21:11:265: Retrying LDAP search.
[836] 07-21 17:21:11:265: Could not open an LDAP connection to domain
NT_DOMAIN_B.
[836] 07-21 17:21:11:265: NTDomain::getConnection failed: No more data is
available.
[836] 07-21 17:21:11:265: Per-user attribute retrieval failed: No more data
is available.

Please note that full trusts are in place. I had an old Win 2k server that
the exact same setup worked on. The only difference here is i'm now using
2003 (R2) SP2.

Does anyone have any ideas why this might be?

Thanks.

 

Hi
-Is that Domain in the same forest?
-Not sure if you can use a RRAS server from a different forest to
authenticate VPN users from a diferent domain/forest!!!
-But in case of supported, check name resolution for RRAS and DCs in both
ends of the forests, they should be able to solve each other names without
problems, also check WINS in case of the ther Domain/Forest is using NT4.
-Is the RRAS server directly connected to internet? Are you using PPTP or
L2TP? IIRC the hardware modem/router must support protocol 47 (GRE) to pass
that.

-Check at Networking NewsGroups they can provid you better help there.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

 

Thanks,

The AD domain is the root forest.
The NT domain has a two way trust to it.
All DNS seems to work.
RRAS server has an internal DMZ ip which is NATd for external IP.
I'm using whatever protocol the default is and firewall is not blocking any
traffic.

Thanks,

 

See inline

And the users are from the NT domain? Remember NT4 relies on WINS for name
resolution.

The Fact they are working doesn't mean that are correctly configured in the
clients, but since you mentioned NT4 and separated forests check WINS.

Not all FW/Hardware support Generic Route Encapsulation (GRE-Protocol 47,
NOT PORT 47, different things) which is needed for that.
http://support.microsoft.com/kb/241251
http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml

But once again check at Network News Groups for these questions, they can
provide you with better help there.
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services