Handheld device remote networking issues into RAS

We have a bunch of NEC MobilePros, mainly 770, 780, 790s that remote users
use to dial in to our RAS server.
Everything was working fine until we moved RAS to a Windows 2003 server,
from a NT Server.
The handhelds will dial and connect to the server, but as soon as that
happens there is a message displayed on the handhelds that says:
responding to authentication challenge

Another window pops up almost simultaneously that says:
Disconnected.

I checked the event log on the server and found this warning event:
Source-Remote Access
Event ID 20187
The user domain\user failed an authentication attempt due to the following
reason: The user could not be authenticated using Challenge Handshake
Authentication Protocol (CHAP). A reversibly encrypted password does not
exist for this user account. To ensure that reversibly encrypted passwords
are enabled, check either the domain password policy or the password settings
on the user account.

There is another event right after it, same source
Event ID 20014
The user domain\user has connected and failed to authenticate on port COM1.
The line has been disconnected.

I don't understand why I'm getting this second event. I've created a policy
in Routing and Remote Access to allow the group that the account is in to be
granted
remote access permission.
And in regard to the first event, I don't understand why CHAP won't
work-I've enabled the policy to allow CHAP authentication, as well as others.

I've also checked some of the logs on the server and found some information,
but I haven't found much information on it and what it means exactly.

from RASAUTH log
[4056] 10:35:31:668: IASResponse = 2, FailureReason = 0x13

from RASCHAP log
[3184] 01-10 10:35:31:637: CS_ChallengeSent...
[3184] 01-10 10:35:31:668: ChapMakeMessage,RBuf=00000000
[3184] 01-10 10:35:31:668: Result=691,Tries=2
[3184] 01-10 10:35:31:668: CS_Done...

FROM IASSAM log
[4056] 01-10 10:35:31:668: LogonUser failed: The specified directory service
attribute or value does not exist.

from PPP log
3184] 01-10 10:35:31:668: Auth Protocol c223 terminated with error 691

from RASMAN
Disconnecting Port 0xCOM1, reason 0

In Active Directory, I've also disabled 2 settings that could cause problems:
computer config/windows settings/security settings/local policies/security
option
Microsoft network server: digitally sign communications (always)
Microsoft network client: digitally sign communications (always)

I understand that there is also a setting in AD that will store all
passwords with reversible encryption, but it is considered a security risk.
I haven't tried changing this setting and then dialing in. I hope there's
other options.

Any help is appreciated.

The message you quote tells you why CHAP isn't working. It needs the
reversibly encrypted password option. This is off by default in server 2003.

nosurfdj wrote:
> We have a bunch of NEC MobilePros, mainly 770, 780, 790s that remote
> users use to dial in to our RAS server.
> Everything was working fine until we moved RAS to a Windows 2003
> server, from a NT Server.
> The handhelds will dial and connect to the server, but as soon as that
> happens there is a message displayed on the handhelds that says:
> responding to authentication challenge
>
> Another window pops up almost simultaneously that says:
> Disconnected.
>
> I checked the event log on the server and found this warning event:
> Source-Remote Access
> Event ID 20187
> The user domain\user failed an authentication attempt due to the
> following reason: The user could not be authenticated using Challenge
> Handshake Authentication Protocol (CHAP). A reversibly encrypted
> password does not exist for this user account. To ensure that
> reversibly encrypted passwords are enabled, check either the domain
> password policy or the password settings on the user account.
>
> There is another event right after it, same source
> Event ID 20014
> The user domain\user has connected and failed to authenticate on port
> COM1. The line has been disconnected.
>
> I don't understand why I'm getting this second event. I've created a
> policy in Routing and Remote Access to allow the group that the
> account is in to be granted
> remote access permission.
> And in regard to the first event, I don't understand why CHAP won't
> work-I've enabled the policy to allow CHAP authentication, as well as
> others.
>
> I've also checked some of the logs on the server and found some
> information, but I haven't found much information on it and what it
> means exactly.
>
> from RASAUTH log
> [4056] 10:35:31:668: IASResponse = 2, FailureReason = 0x13
>
> from RASCHAP log
> [3184] 01-10 10:35:31:637: CS_ChallengeSent...
> [3184] 01-10 10:35:31:668: ChapMakeMessage,RBuf=00000000
> [3184] 01-10 10:35:31:668: Result=691,Tries=2
> [3184] 01-10 10:35:31:668: CS_Done...
>
> FROM IASSAM log
> [4056] 01-10 10:35:31:668: LogonUser failed: The specified directory
> service attribute or value does not exist.
>
> from PPP log
> 3184] 01-10 10:35:31:668: Auth Protocol c223 terminated with error 691
>
> from RASMAN
> Disconnecting Port 0xCOM1, reason 0
>
> In Active Directory, I've also disabled 2 settings that could cause
> problems: computer config/windows settings/security settings/local
> policies/security option
> Microsoft network server: digitally sign communications (always)
> Microsoft network client: digitally sign communications (always)
>
> I understand that there is also a setting in AD that will store all
> passwords with reversible encryption, but it is considered a security
> risk. I haven't tried changing this setting and then dialing in. I
> hope there's other options.
>
> Any help is appreciated.

I know what setting you are talking about in AD to store all passwords in the
domain with reversible encryption. I've read articles that this can be a big
security risk because the passwords of all users would be stored in plain
text. If this is the only way to make it work, then that's what I have to
do. I was hoping that there might be other options.

"Bill Grant" wrote:

> The message you quote tells you why CHAP isn't working. It needs the
> reversibly encrypted password option. This is off by default in server 2003.
>
> nosurfdj wrote:
> > We have a bunch of NEC MobilePros, mainly 770, 780, 790s that remote
> > users use to dial in to our RAS server.
> > Everything was working fine until we moved RAS to a Windows 2003
> > server, from a NT Server.
> > The handhelds will dial and connect to the server, but as soon as that
> > happens there is a message displayed on the handhelds that says:
> > responding to authentication challenge
> >
> > Another window pops up almost simultaneously that says:
> > Disconnected.
> >
> > I checked the event log on the server and found this warning event:
> > Source-Remote Access
> > Event ID 20187
> > The user domain\user failed an authentication attempt due to the
> > following reason: The user could not be authenticated using Challenge
> > Handshake Authentication Protocol (CHAP). A reversibly encrypted
> > password does not exist for this user account. To ensure that
> > reversibly encrypted passwords are enabled, check either the domain
> > password policy or the password settings on the user account.
> >
> > There is another event right after it, same source
> > Event ID 20014
> > The user domain\user has connected and failed to authenticate on port
> > COM1. The line has been disconnected.
> >
> > I don't understand why I'm getting this second event. I've created a
> > policy in Routing and Remote Access to allow the group that the
> > account is in to be granted
> > remote access permission.
> > And in regard to the first event, I don't understand why CHAP won't
> > work-I've enabled the policy to allow CHAP authentication, as well as
> > others.
> >
> > I've also checked some of the logs on the server and found some
> > information, but I haven't found much information on it and what it
> > means exactly.
> >
> > from RASAUTH log
> > [4056] 10:35:31:668: IASResponse = 2, FailureReason = 0x13
> >
> > from RASCHAP log
> > [3184] 01-10 10:35:31:637: CS_ChallengeSent...
> > [3184] 01-10 10:35:31:668: ChapMakeMessage,RBuf=00000000
> > [3184] 01-10 10:35:31:668: Result=691,Tries=2
> > [3184] 01-10 10:35:31:668: CS_Done...
> >
> > FROM IASSAM log
> > [4056] 01-10 10:35:31:668: LogonUser failed: The specified directory
> > service attribute or value does not exist.
> >
> > from PPP log
> > 3184] 01-10 10:35:31:668: Auth Protocol c223 terminated with error 691
> >
> > from RASMAN
> > Disconnecting Port 0xCOM1, reason 0
> >
> > In Active Directory, I've also disabled 2 settings that could cause
> > problems: computer config/windows settings/security settings/local
> > policies/security option
> > Microsoft network server: digitally sign communications (always)
> > Microsoft network client: digitally sign communications (always)
> >
> > I understand that there is also a setting in AD that will store all
> > passwords with reversible encryption, but it is considered a security
> > risk. I haven't tried changing this setting and then dialing in. I
> > hope there's other options.
> >
> > Any help is appreciated.
>
>
>

I set "Store password using reverisble encryption for all users in the
domain" on the default domain policy-this setting is found in
computer/security/account polcies/password policy.
I then tested one of the handhelds, and I was not able to connect. Same
thing happened that always happened.
Am I setting it in the wrong location?

"Bill Grant" wrote:

> The message you quote tells you why CHAP isn't working. It needs the
> reversibly encrypted password option. This is off by default in server 2003.
>
> nosurfdj wrote:
> > We have a bunch of NEC MobilePros, mainly 770, 780, 790s that remote
> > users use to dial in to our RAS server.
> > Everything was working fine until we moved RAS to a Windows 2003
> > server, from a NT Server.
> > The handhelds will dial and connect to the server, but as soon as that
> > happens there is a message displayed on the handhelds that says:
> > responding to authentication challenge
> >
> > Another window pops up almost simultaneously that says:
> > Disconnected.
> >
> > I checked the event log on the server and found this warning event:
> > Source-Remote Access
> > Event ID 20187
> > The user domain\user failed an authentication attempt due to the
> > following reason: The user could not be authenticated using Challenge
> > Handshake Authentication Protocol (CHAP). A reversibly encrypted
> > password does not exist for this user account. To ensure that
> > reversibly encrypted passwords are enabled, check either the domain
> > password policy or the password settings on the user account.
> >
> > There is another event right after it, same source
> > Event ID 20014
> > The user domain\user has connected and failed to authenticate on port
> > COM1. The line has been disconnected.
> >
> > I don't understand why I'm getting this second event. I've created a
> > policy in Routing and Remote Access to allow the group that the
> > account is in to be granted
> > remote access permission.
> > And in regard to the first event, I don't understand why CHAP won't
> > work-I've enabled the policy to allow CHAP authentication, as well as
> > others.
> >
> > I've also checked some of the logs on the server and found some
> > information, but I haven't found much information on it and what it
> > means exactly.
> >
> > from RASAUTH log
> > [4056] 10:35:31:668: IASResponse = 2, FailureReason = 0x13
> >
> > from RASCHAP log
> > [3184] 01-10 10:35:31:637: CS_ChallengeSent...
> > [3184] 01-10 10:35:31:668: ChapMakeMessage,RBuf=00000000
> > [3184] 01-10 10:35:31:668: Result=691,Tries=2
> > [3184] 01-10 10:35:31:668: CS_Done...
> >
> > FROM IASSAM log
> > [4056] 01-10 10:35:31:668: LogonUser failed: The specified directory
> > service attribute or value does not exist.
> >
> > from PPP log
> > 3184] 01-10 10:35:31:668: Auth Protocol c223 terminated with error 691
> >
> > from RASMAN
> > Disconnecting Port 0xCOM1, reason 0
> >
> > In Active Directory, I've also disabled 2 settings that could cause
> > problems: computer config/windows settings/security settings/local
> > policies/security option
> > Microsoft network server: digitally sign communications (always)
> > Microsoft network client: digitally sign communications (always)
> >
> > I understand that there is also a setting in AD that will store all
> > passwords with reversible encryption, but it is considered a security
> > risk. I haven't tried changing this setting and then dialing in. I
> > hope there's other options.
> >
> > Any help is appreciated.
>
>
>

No, you do not need to use the policy to have every user in the domain
use reversibly encrypted passwords. You can use the second option suggested
in the error message, of setting it in the password options of the user
account (for just the users who need this option).

The basic essential is that the users who need to connect from handhelds
using CHAP must have reversibly encrypted passwords.

nosurfdj wrote:
> I set "Store password using reverisble encryption for all users in the
> domain" on the default domain policy-this setting is found in
> computer/security/account polcies/password policy.
> I then tested one of the handhelds, and I was not able to connect.
> Same thing happened that always happened.
> Am I setting it in the wrong location?
>
> "Bill Grant" wrote:
>
>> The message you quote tells you why CHAP isn't working. It needs
>> the reversibly encrypted password option. This is off by default in
>> server 2003.
>>
>> nosurfdj wrote:
>>> We have a bunch of NEC MobilePros, mainly 770, 780, 790s that remote
>>> users use to dial in to our RAS server.
>>> Everything was working fine until we moved RAS to a Windows 2003
>>> server, from a NT Server.
>>> The handhelds will dial and connect to the server, but as soon as
>>> that happens there is a message displayed on the handhelds that
>>> says: responding to authentication challenge
>>>
>>> Another window pops up almost simultaneously that says:
>>> Disconnected.
>>>
>>> I checked the event log on the server and found this warning event:
>>> Source-Remote Access
>>> Event ID 20187
>>> The user domain\user failed an authentication attempt due to the
>>> following reason: The user could not be authenticated using
>>> Challenge Handshake Authentication Protocol (CHAP). A reversibly
>>> encrypted password does not exist for this user account. To ensure
>>> that reversibly encrypted passwords are enabled, check either the
>>> domain password policy or the password settings on the user account.
>>>
>>> There is another event right after it, same source
>>> Event ID 20014
>>> The user domain\user has connected and failed to authenticate on
>>> port COM1. The line has been disconnected.
>>>
>>> I don't understand why I'm getting this second event. I've created
>>> a policy in Routing and Remote Access to allow the group that the
>>> account is in to be granted
>>> remote access permission.
>>> And in regard to the first event, I don't understand why CHAP won't
>>> work-I've enabled the policy to allow CHAP authentication, as well
>>> as others.
>>>
>>> I've also checked some of the logs on the server and found some
>>> information, but I haven't found much information on it and what it
>>> means exactly.
>>>
>>> from RASAUTH log
>>> [4056] 10:35:31:668: IASResponse = 2, FailureReason = 0x13
>>>
>>> from RASCHAP log
>>> [3184] 01-10 10:35:31:637: CS_ChallengeSent...
>>> [3184] 01-10 10:35:31:668: ChapMakeMessage,RBuf=00000000
>>> [3184] 01-10 10:35:31:668: Result=691,Tries=2
>>> [3184] 01-10 10:35:31:668: CS_Done...
>>>
>>> FROM IASSAM log
>>> [4056] 01-10 10:35:31:668: LogonUser failed: The specified directory
>>> service attribute or value does not exist.
>>>
>>> from PPP log
>>> 3184] 01-10 10:35:31:668: Auth Protocol c223 terminated with error
>>> 691
>>>
>>> from RASMAN
>>> Disconnecting Port 0xCOM1, reason 0
>>>
>>> In Active Directory, I've also disabled 2 settings that could cause
>>> problems: computer config/windows settings/security settings/local
>>> policies/security option
>>> Microsoft network server: digitally sign communications (always)
>>> Microsoft network client: digitally sign communications (always)
>>>
>>> I understand that there is also a setting in AD that will store all
>>> passwords with reversible encryption, but it is considered a
>>> security risk. I haven't tried changing this setting and then
>>> dialing in. I hope there's other options.
>>>
>>> Any help is appreciated.

I think I know what you're referring to. If you open the user account, under
the Account tab you can choose to store that user's password with reversible
encryption. That didn't work either.

"Bill Grant" wrote:

> No, you do not need to use the policy to have every user in the domain
> use reversibly encrypted passwords. You can use the second option suggested
> in the error message, of setting it in the password options of the user
> account (for just the users who need this option).
>
> The basic essential is that the users who need to connect from handhelds
> using CHAP must have reversibly encrypted passwords.
>
> nosurfdj wrote:
> > I set "Store password using reverisble encryption for all users in the
> > domain" on the default domain policy-this setting is found in
> > computer/security/account polcies/password policy.
> > I then tested one of the handhelds, and I was not able to connect.
> > Same thing happened that always happened.
> > Am I setting it in the wrong location?
> >
> > "Bill Grant" wrote:
> >
> >> The message you quote tells you why CHAP isn't working. It needs
> >> the reversibly encrypted password option. This is off by default in
> >> server 2003.
> >>
> >> nosurfdj wrote:
> >>> We have a bunch of NEC MobilePros, mainly 770, 780, 790s that remote
> >>> users use to dial in to our RAS server.
> >>> Everything was working fine until we moved RAS to a Windows 2003
> >>> server, from a NT Server.
> >>> The handhelds will dial and connect to the server, but as soon as
> >>> that happens there is a message displayed on the handhelds that
> >>> says: responding to authentication challenge
> >>>
> >>> Another window pops up almost simultaneously that says:
> >>> Disconnected.
> >>>
> >>> I checked the event log on the server and found this warning event:
> >>> Source-Remote Access
> >>> Event ID 20187
> >>> The user domain\user failed an authentication attempt due to the
> >>> following reason: The user could not be authenticated using
> >>> Challenge Handshake Authentication Protocol (CHAP). A reversibly
> >>> encrypted password does not exist for this user account. To ensure
> >>> that reversibly encrypted passwords are enabled, check either the
> >>> domain password policy or the password settings on the user account.
> >>>
> >>> There is another event right after it, same source
> >>> Event ID 20014
> >>> The user domain\user has connected and failed to authenticate on
> >>> port COM1. The line has been disconnected.
> >>>
> >>> I don't understand why I'm getting this second event. I've created
> >>> a policy in Routing and Remote Access to allow the group that the
> >>> account is in to be granted
> >>> remote access permission.
> >>> And in regard to the first event, I don't understand why CHAP won't
> >>> work-I've enabled the policy to allow CHAP authentication, as well
> >>> as others.
> >>>
> >>> I've also checked some of the logs on the server and found some
> >>> information, but I haven't found much information on it and what it
> >>> means exactly.
> >>>
> >>> from RASAUTH log
> >>> [4056] 10:35:31:668: IASResponse = 2, FailureReason = 0x13
> >>>
> >>> from RASCHAP log
> >>> [3184] 01-10 10:35:31:637: CS_ChallengeSent...
> >>> [3184] 01-10 10:35:31:668: ChapMakeMessage,RBuf=00000000
> >>> [3184] 01-10 10:35:31:668: Result=691,Tries=2
> >>> [3184] 01-10 10:35:31:668: CS_Done...
> >>>
> >>> FROM IASSAM log
> >>> [4056] 01-10 10:35:31:668: LogonUser failed: The specified directory
> >>> service attribute or value does not exist.
> >>>
> >>> from PPP log
> >>> 3184] 01-10 10:35:31:668: Auth Protocol c223 terminated with error
> >>> 691
> >>>
> >>> from RASMAN
> >>> Disconnecting Port 0xCOM1, reason 0
> >>>
> >>> In Active Directory, I've also disabled 2 settings that could cause
> >>> problems: computer config/windows settings/security settings/local
> >>> policies/security option
> >>> Microsoft network server: digitally sign communications (always)
> >>> Microsoft network client: digitally sign communications (always)
> >>>
> >>> I understand that there is also a setting in AD that will store all
> >>> passwords with reversible encryption, but it is considered a
> >>> security risk. I haven't tried changing this setting and then
> >>> dialing in. I hope there's other options.
> >>>
> >>> Any help is appreciated.
>
>
>

Found the solution:
Turned off EAP and MSChap v2 on the RAS server.
Then had to set a registry key on the RAS server:
HKLM\system\currentcontrolset\services\remoteacces s\policy
set Allow LM Authentication = 1

"nosurfdj" wrote:

> I think I know what you're referring to. If you open the user account, under
> the Account tab you can choose to store that user's password with reversible
> encryption. That didn't work either.
>
> "Bill Grant" wrote:
>
> > No, you do not need to use the policy to have every user in the domain
> > use reversibly encrypted passwords. You can use the second option suggested
> > in the error message, of setting it in the password options of the user
> > account (for just the users who need this option).
> >
> > The basic essential is that the users who need to connect from handhelds
> > using CHAP must have reversibly encrypted passwords.
> >
> > nosurfdj wrote:
> > > I set "Store password using reverisble encryption for all users in the
> > > domain" on the default domain policy-this setting is found in
> > > computer/security/account polcies/password policy.
> > > I then tested one of the handhelds, and I was not able to connect.
> > > Same thing happened that always happened.
> > > Am I setting it in the wrong location?
> > >
> > > "Bill Grant" wrote:
> > >
> > >> The message you quote tells you why CHAP isn't working. It needs
> > >> the reversibly encrypted password option. This is off by default in
> > >> server 2003.
> > >>
> > >> nosurfdj wrote:
> > >>> We have a bunch of NEC MobilePros, mainly 770, 780, 790s that remote
> > >>> users use to dial in to our RAS server.
> > >>> Everything was working fine until we moved RAS to a Windows 2003
> > >>> server, from a NT Server.
> > >>> The handhelds will dial and connect to the server, but as soon as
> > >>> that happens there is a message displayed on the handhelds that
> > >>> says: responding to authentication challenge
> > >>>
> > >>> Another window pops up almost simultaneously that says:
> > >>> Disconnected.
> > >>>
> > >>> I checked the event log on the server and found this warning event:
> > >>> Source-Remote Access
> > >>> Event ID 20187
> > >>> The user domain\user failed an authentication attempt due to the
> > >>> following reason: The user could not be authenticated using
> > >>> Challenge Handshake Authentication Protocol (CHAP). A reversibly
> > >>> encrypted password does not exist for this user account. To ensure
> > >>> that reversibly encrypted passwords are enabled, check either the
> > >>> domain password policy or the password settings on the user account.
> > >>>
> > >>> There is another event right after it, same source
> > >>> Event ID 20014
> > >>> The user domain\user has connected and failed to authenticate on
> > >>> port COM1. The line has been disconnected.
> > >>>
> > >>> I don't understand why I'm getting this second event. I've created
> > >>> a policy in Routing and Remote Access to allow the group that the
> > >>> account is in to be granted
> > >>> remote access permission.
> > >>> And in regard to the first event, I don't understand why CHAP won't
> > >>> work-I've enabled the policy to allow CHAP authentication, as well
> > >>> as others.
> > >>>
> > >>> I've also checked some of the logs on the server and found some
> > >>> information, but I haven't found much information on it and what it
> > >>> means exactly.
> > >>>
> > >>> from RASAUTH log
> > >>> [4056] 10:35:31:668: IASResponse = 2, FailureReason = 0x13
> > >>>
> > >>> from RASCHAP log
> > >>> [3184] 01-10 10:35:31:637: CS_ChallengeSent...
> > >>> [3184] 01-10 10:35:31:668: ChapMakeMessage,RBuf=00000000
> > >>> [3184] 01-10 10:35:31:668: Result=691,Tries=2
> > >>> [3184] 01-10 10:35:31:668: CS_Done...
> > >>>
> > >>> FROM IASSAM log
> > >>> [4056] 01-10 10:35:31:668: LogonUser failed: The specified directory
> > >>> service attribute or value does not exist.
> > >>>
> > >>> from PPP log
> > >>> 3184] 01-10 10:35:31:668: Auth Protocol c223 terminated with error
> > >>> 691
> > >>>
> > >>> from RASMAN
> > >>> Disconnecting Port 0xCOM1, reason 0
> > >>>
> > >>> In Active Directory, I've also disabled 2 settings that could cause
> > >>> problems: computer config/windows settings/security settings/local
> > >>> policies/security option
> > >>> Microsoft network server: digitally sign communications (always)
> > >>> Microsoft network client: digitally sign communications (always)
> > >>>
> > >>> I understand that there is also a setting in AD that will store all
> > >>> passwords with reversible encryption, but it is considered a
> > >>> security risk. I haven't tried changing this setting and then
> > >>> dialing in. I hope there's other options.
> > >>>
> > >>> Any help is appreciated.
> >
> >
> >