Initial RAS Setup Problem
Myrt Webb
it works. But no matter what I do the RAS denies access
because the user does not have the proper permissions.
I have one DC in native mode that is also the RAS. I have
a default access policy that I wanted to make as simple as
possible. The only policies I have are unlimited access
for time and that the auth groups are domain users. PAP
for authentication and no encryption. The domain users I
am trying with have "grant access according to remote
policy".
But when I try to establish a VPN from another workstation
on the same LAN as the server access is denied.
I have checked and checked settings but I cannot figure
out what is amiss.
What are the most likely reasons for my access problem?
![Carl DaVault [MS]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Carl DaVault [MS]
You can get a good view into what your system is doing by looking at the IAS
logs and PPP logs, enabled by "netsh ras set tra * ena" and found in
%WINDIR%\tracing.
Here's a tip on how remote access policies work:
* You can think of the Dial-in tab on the user properties as a user-specific
IAS configuration tab.
* The IAS settings on a dial-in tab override the IAS settings in a remote
access policy.
* The "grant access by policy" setting on the user is essentially a null
setting, allowing the Grant/Deny radio button on the policy to take effect.
The other two user settings (Allow/Deny) override the grant/deny setting in
the policy.
If you use "grant access by policy", the policy must say "grant access" and
the other conditions have to match - one of the IAS logs will show you why
the user was denied access - it either failed the logon attempt or was
rejected due to a policy setting. You have to enable PAP in both the VPN
server properties as well as the remote access policy and you have to enable
"No encryption" in the policy. (PAP is fine for experimentation and
troubleshooting, but never set your servers to negotiate PAP in a real
deployment - it allows your password to be sent in the clear and provides no
encryption. MD5 CHAP is almost as bad. Use MS-CHAPv2 or EAP-TLS instead.)
With domain users, your VPN server must be a member of the RAS and IAS
Servers Group - you can register it via "netsh ras add reg" and check
registration with "netsh ras sho reg". If you can connect with local users,
but not domain users, perhaps IAS is having trouble talking to the domain or
is not registered.
--
Carl DaVault (MS)
This posting is provided "AS IS" with no warranties, and confers no rights.
"Myrt Webb" <myrt...@centurytel.net> wrote in message
news:062401c2cc73$55008d00$8df82ecf@TK2MSFTNGXA02...
Myrt Webb
I enable logging and tried to access again.
The PPP log had the following:
"Auth protocol c233 terminated with error 649"
How do I figure out what the above means?
There are a lot of logs. Which ones are the most useful?
>.
>
Amit Fulay [MS]
Error 649 indicates that either the user account does not have permissions
to dial-in or that the user account has been disabled.
You should check is the user has the right access permissions.
thanks,
--
Amit Fulay
Microsoft Corporation
----------------------------------------------------------------------------
This posting is provided "AS IS", with NO warranties and confers NO rights
----------------------------------------------------------------------------
"Myrt Webb" <myrt...@centurytel.net> wrote in message
news:071301c2cc79$6a58aa60$cef82ecf@TK2MSFTNGXA08...
Myrt Webb
I have solved the authentication problem. The issue was in
the client connection that was not authorized to use PAP
and no encryption. When I changed that I not could get
access to the RAS but I am now stopped by another error
that says "error 913 Remote Access Client attempted to
connect over a port that was reserved for routers only"
>.
>