Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

CMAK VPN & "Log on using dial-up connection" failing

27 views
Skip to first unread message

IT Guy

unread,
Sep 20, 2005, 10:56:01 AM9/20/05
to
I have set up a Win2003 RRAS L2TP IPSec vpn for XP Pro SP2 clients connecting
from remote cable internet connections. All remote PCs are members of the
domain. The VPN client connection is built with CMAK.

Users with cached credentials can successfully log onto the local machine
and establish the VPN connection to the server. However, the "Log on using
dial-up connection" option at the Windows Logon screen fails with a 691
access denied error.

Reviewing the IASSAM.LOG shows a failed attempt by the guest account to log
in corresponding to the failed remote connection attempt (see below). If I
manually create the VPN connection (rather than use CMAK), the dial-up
connection at Windows logon works.

Does anyone have an idea where I need to look in CMAK to correct the
problem...? Thanks!

[1796] 09-20 09:15:32:634: NT-SAM Names handler using default user identity
IT_DOMAIN\noguest03.
[1796] 09-20 09:15:32:634: identity is "IT_DOMAIN\noguest03"
[1796] 09-20 09:15:32:634: Username is already an NT4 account name.
[1796] 09-20 09:15:32:634: SAM-Account-Name is "IT_DOMAIN\noguest03".
[1796] 09-20 09:15:32:634: NT-SAM Authentication handler received request
for IT_DOMAIN\noguest03.
[1796] 09-20 09:15:32:634: Processing MS-CHAP v2 authentication.
[1796] 09-20 09:15:32:634: LogonUser failed: Logon failure: unknown user
name or bad password.
[1796] 09-20 09:15:41:696: NT-SAM Names handler using default user identity
IT_DOMAIN\noguest03.
[1796] 09-20 09:15:41:696: identity is "IT_DOMAIN\noguest03"
[1796] 09-20 09:15:41:696: Username is already an NT4 account name.
[1796] 09-20 09:15:41:696: SAM-Account-Name is "IT_DOMAIN\noguest03".
[1796] 09-20 09:15:41:696: NT-SAM Authentication handler received request
for IT_DOMAIN\noguest03.
[1796] 09-20 09:15:41:696: Processing MS-CHAP v2 authentication.
[1796] 09-20 09:15:41:696: LogonUser failed: Logon failure: unknown user
name or bad password.

Robert L [MS-MVP]

unread,
Sep 20, 2005, 12:24:49 PM9/20/05
to
If you want to use Log on using dial-up connection, you don't need the CMAK. You just create regular VPN connection.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com

IT Guy

unread,
Sep 20, 2005, 1:07:01 PM9/20/05
to
Thanks, Robert. That is my work around, but to simplify deployment and
administration, I was hoping to use the simple self-installing .exe that CMAK
creates...

Robert L [MS-MVP]

unread,
Sep 20, 2005, 1:43:56 PM9/20/05
to
Yes, the CMAk will be easy for the administrator. Normally, we don't recommend our clients to logon domain. We just logon local computer and run CMAK.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com

IT Guy

unread,
Sep 20, 2005, 1:56:02 PM9/20/05
to
Unfortunately, we have remote domain users (accessing domain shares, client
server apps, etc.) who have not logged on to the remote machines before.
Their local accounts won't be able to access the domain resources and since
they haven't logged on to the computers with their domain accounts before,
they don't have cached credentials and, therefore, can't get to the CMAK VPN
client...
0 new messages