Windows 2003 RRAS - VPN - NT Users not authenticating

Discussion in 'Server Networking' started by David Naffy, Jul 22, 2008.

  1. David Naffy

    David Naffy Guest

    Hi,

    I've got a Windows 2003 (R2) SP2 server. It has RRAS installed. I've set it
    to be a VPN server.

    It is joined to my active directory domain_A. Users within the active
    directory domain_A can VPN in fine - works perfectly.

    I've got users in another domain (NT domain_B). These users get error 691.
    With RAS tracing in the log i can see that authentciation happens but then i
    get the following problems:

    [836] 07-21 17:20:55:609: NT-SAM Names handler received request with user
    identity NT_DOMAIN_B\username.
    [836] 07-21 17:20:55:609: Username is already an NT4 account name.
    [836] 07-21 17:20:55:609: SAM-Account-Name is "NT_DOMAIN_B\username".
    [836] 07-21 17:20:55:609: NT-SAM Authentication handler received request for
    NT_DOMAIN_B\username.
    [836] 07-21 17:20:55:609: Processing MS-CHAP v2 authentication.
    [836] 07-21 17:20:55:625: LogonUser succeeded.
    [836] 07-21 17:20:55:625: NT-SAM User Authorization handler received request
    for NT_DOMAIN_B\username.
    [836] 07-21 17:20:56:236: Failed to connect to the cached DC, try DC locator
    ....
    [836] 07-21 17:21:11:265: Failed to connect to the DC discovered by DC
    locator, try DC enumerator ...
    [836] 07-21 17:21:11:265: Using downlevel dial-in parameters.
    [836] 07-21 17:21:11:265: Could not open an LDAP connection to domain
    NT_DOMAIN_B.
    [836] 07-21 17:21:11:265: NTDomain::getConnection failed: No more data is
    available.
    [836] 07-21 17:21:11:265: Retrying LDAP search.
    [836] 07-21 17:21:11:265: Could not open an LDAP connection to domain
    NT_DOMAIN_B.
    [836] 07-21 17:21:11:265: NTDomain::getConnection failed: No more data is
    available.
    [836] 07-21 17:21:11:265: Per-user attribute retrieval failed: No more data
    is available.

    Please note that full trusts are in place. I had an old Win 2k server that
    the exact same setup worked on. The only difference here is i'm now using
    2003 (R2) SP2.

    Does anyone have any ideas why this might be?

    Thanks.
     
    David Naffy, Jul 22, 2008
    #1
    1. Advertisements

  2. David Naffy

    Jorge Silva Guest

    Hi
    -Is that Domain in the same forest?
    -Not sure if you can use a RRAS server from a different forest to
    authenticate VPN users from a diferent domain/forest!!!
    -But in case of supported, check name resolution for RRAS and DCs in both
    ends of the forests, they should be able to solve each other names without
    problems, also check WINS in case of the ther Domain/Forest is using NT4.
    -Is the RRAS server directly connected to internet? Are you using PPTP or
    L2TP? IIRC the hardware modem/router must support protocol 47 (GRE) to pass
    that.

    -Check at Networking NewsGroups they can provid you better help there.

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, Jul 22, 2008
    #2
    1. Advertisements

  3. David Naffy

    David Naffy Guest

    Thanks,

    The AD domain is the root forest.
    The NT domain has a two way trust to it.
    All DNS seems to work.
    RRAS server has an internal DMZ ip which is NATd for external IP.
    I'm using whatever protocol the default is and firewall is not blocking any
    traffic.

    Thanks,
     
    David Naffy, Jul 22, 2008
    #3
  4. David Naffy

    Jorge Silva Guest

    See inline
    And the users are from the NT domain? Remember NT4 relies on WINS for name
    resolution.
    The Fact they are working doesn't mean that are correctly configured in the
    clients, but since you mentioned NT4 and separated forests check WINS.
    Not all FW/Hardware support Generic Route Encapsulation (GRE-Protocol 47,
    NOT PORT 47, different things) which is needed for that.
    http://support.microsoft.com/kb/241251
    http://poptop.sourceforge.net/dox/gre-protocol-unavailable.phtml

    But once again check at Network News Groups for these questions, they can
    provide you with better help there.
    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, Jul 22, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.