IAS VPN authentication fails for Windows Mobile clients

Hi,
I have Server 2003 Std, running IAS. Incoming VPN connections are
terminated on a Cisco router which then fowards authentication requests to
the IAS server.

Connections from external PC based clients work fine, however when attempts
to connect using Windows Mobile 5 PDA's or SmartPhones fail (when using the
same credentials).

I can only assume that the WM5 devices are not formatting the user name and
domain correctly, or not establishing a suitable authentication type. There
is no policy in use - just dial-in permissions on the user account.

Failures generate an IAS event ID 2 with reason code 20.

Have tried all combinations of specifying the domain and user name in the
WM5 client, but nothing works...

Any suggestions...?

=?Utf-8?B?ZnJlZA==?= <(E-Mail Removed)> wrote in
news:37E5353F-F061-4076-BF67-(E-Mail Removed):

> Hi,
> I have Server 2003 Std, running IAS. Incoming VPN connections are
> terminated on a Cisco router which then fowards authentication
> requests to the IAS server.
>
> Connections from external PC based clients work fine, however when
> attempts to connect using Windows Mobile 5 PDA's or SmartPhones fail
> (when using the same credentials).
>
> I can only assume that the WM5 devices are not formatting the user
> name and domain correctly, or not establishing a suitable
> authentication type. There is no policy in use - just dial-in
> permissions on the user account.
>
> Failures generate an IAS event ID 2 with reason code 20.
>
> Have tried all combinations of specifying the domain and user name in
> the WM5 client, but nothing works...
>
> Any suggestions...?
>

Hi there --

I pinged the IAS team with your questions and thus far I have received the
following response:

"IAS reason code 20 is 'LAN Manager authentication is not enabled'

See (KB) article 826157 "Error 691" error message when you log on to a
Windows Server 2003-based computer or a Windows 2000-based computer that is
running Routing and Remote Access or Internet Authentication Service

http://support.microsoft.com/default...b;EN-US;826157

and check the value of

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\RemoteAccess\Policy\Al
low LM Authentication
"

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

Many thanks for this James.

I am out of the office for a few days now, but will get a colleague to test
this in the morning.

Regards

"James McIllece [MS]" wrote:

> =?Utf-8?B?ZnJlZA==?= <(E-Mail Removed)> wrote in
> news:37E5353F-F061-4076-BF67-(E-Mail Removed):
>
> > Hi,
> > I have Server 2003 Std, running IAS. Incoming VPN connections are
> > terminated on a Cisco router which then fowards authentication
> > requests to the IAS server.
> >
> > Connections from external PC based clients work fine, however when
> > attempts to connect using Windows Mobile 5 PDA's or SmartPhones fail
> > (when using the same credentials).
> >
> > I can only assume that the WM5 devices are not formatting the user
> > name and domain correctly, or not establishing a suitable
> > authentication type. There is no policy in use - just dial-in
> > permissions on the user account.
> >
> > Failures generate an IAS event ID 2 with reason code 20.
> >
> > Have tried all combinations of specifying the domain and user name in
> > the WM5 client, but nothing works...
> >
> > Any suggestions...?
> >
>
> Hi there --
>
> I pinged the IAS team with your questions and thus far I have received the
> following response:
>
> "IAS reason code 20 is 'LAN Manager authentication is not enabled'
>
> See (KB) article 826157 "Error 691" error message when you log on to a
> Windows Server 2003-based computer or a Windows 2000-based computer that is
> running Routing and Remote Access or Internet Authentication Service
>
> http://support.microsoft.com/default...b;EN-US;826157
>
> and check the value of
>
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\RemoteAccess\Policy\Al
> low LM Authentication
> "
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>

In news:A973F579-EDE4-4571-8FCE-(E-Mail Removed),
fred <(E-Mail Removed)> stated, which I commented on below:
> Many thanks for this James.
>
> I am out of the office for a few days now, but will get a colleague
> to test this in the morning.
>
> Regards

FYI, in addition to what James posted (which will probably take care of the
problem for you), you can use an IAS log viewer that translates the logs for
you. I used this when troubleshooting an Aironet/IAS issue and it was
extremely helpful.

IAS Log Viewer:
http://www.deepsoftware.com/iasviewer/?adv

--
Ace
Innovative IT Concepts, Inc
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...

Method 2 in the doc has improved things - thanks.

I can now get authenticated OK from the PDA, but the connection is dropped
almost immediately.

I will try the log viewer mentioned below...

> I can now get authenticated OK from the PDA, but the connection is dropped
> almost immediately.

This was sorted by disabling Direct Push email - for some reason this
terminates the VPN. Not sure if this is a "feature" of Windows Mobile 5,
the hardware or GPRS.

But at least we have a work-around!

In news:93094CFE-46A7-4D57-9E96-(E-Mail Removed),
fred <(E-Mail Removed)> stated, which I commented on below:
>> I can now get authenticated OK from the PDA, but the connection is
>> dropped almost immediately.
>
> This was sorted by disabling Direct Push email - for some reason this
> terminates the VPN. Not sure if this is a "feature" of Windows
> Mobile 5, the hardware or GPRS.
>
> But at least we have a work-around!

Good to hear you figured it out at least!

Ace

=?Utf-8?B?ZnJlZA==?= <(E-Mail Removed)> wrote in
news:93094CFE-46A7-4D57-9E96-(E-Mail Removed):

>
>> I can now get authenticated OK from the PDA, but the connection is
>> dropped almost immediately.
>
> This was sorted by disabling Direct Push email - for some reason this
> terminates the VPN. Not sure if this is a "feature" of Windows
> Mobile 5, the hardware or GPRS.
>
> But at least we have a work-around!

Thanks for posting this additional information, I'm sure it will help
others in similar circumstances. :-)

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.