Routing and Remote Access - Authentication Failure

Today I set a VPNSERVER running Windows 2003 SP2.
Here's how it's planned:
VPNSERVER and CLIENTPC (windows XP SP2) are on the same LAN segment,
CLIENTPC connects to VPNSERVER, user "vpnuser" with password "1" is Allowed
to connect.
In reality however I can only connect using Optional encription and PAP or
SPAP, despite that the server is configured to also accept CHAP, MS-CHAP and
MS-CHAP v2.

If I try to use any of the CHAP protocols I get unknown user name or
password error. I set the user password to "1" so that cannot possibly
mistype it, but still I get this error, and after a few logon attempts the
user account gets locked out.

1. Any ideas what is going on here?
2. Is there a password length limit for SPAP? I was able to logon with a 10
char pass, but when I tried the other account that has a 50 chars pass, it
failed. I didn't get unknow user name and password thought, it showed some
other error.


PS: Since I failed to use CHAP, I enabled IPSec, just to make the SPAP
session a bit more secure ;-) SPAP+IPSec with a shared secret works
properly.


Here are a few screenshots of server's the configuration:
http://i43.tinypic.com/rvd2l1.png
http://i41.tinypic.com/2ez0n7k.png
http://i44.tinypic.com/s49rsy.png
http://i39.tinypic.com/2wew9yf.png
http://i42.tinypic.com/2h32cqx.png
http://i43.tinypic.com/5b8arm.png
http://i39.tinypic.com/2ljt7js.png
http://i40.tinypic.com/a32mbc.png


Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: vpnuser
Source Workstation:
Error Code: 0xC000006A

Logon Failure:
Reason: Unknown user name or bad password
User Name: vpnuser
Domain: VPNSERVER
Logon Type: 3
Logon Process: IAS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:
Caller User Name: VPNSERVER$
Caller Domain: WORKGROUP
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 832
Transited Services: -
Source Network Address: -
Source Port: -


Thank You for any help!

"George Valkov" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Today I set a VPNSERVER running Windows 2003 SP2.
> Here's how it's planned:
> VPNSERVER and CLIENTPC (windows XP SP2) are on the same LAN segment,
> CLIENTPC connects to VPNSERVER, user "vpnuser" with password "1" is
> Allowed
> to connect.
> In reality however I can only connect using Optional encription and PAP or
> SPAP, despite that the server is configured to also accept CHAP, MS-CHAP
> and
> MS-CHAP v2.
>
> If I try to use any of the CHAP protocols I get unknown user name or
> password error. I set the user password to "1" so that cannot possibly
> mistype it, but still I get this error, and after a few logon attempts the
> user account gets locked out.
>
> 1. Any ideas what is going on here?
> 2. Is there a password length limit for SPAP? I was able to logon with a
> 10
> char pass, but when I tried the other account that has a 50 chars pass, it
> failed. I didn't get unknow user name and password thought, it showed some
> other error.
>
>
> PS: Since I failed to use CHAP, I enabled IPSec, just to make the SPAP
> session a bit more secure ;-) SPAP+IPSec with a shared secret works
> properly.
>
>
> Here are a few screenshots of server's the configuration:
> http://i43.tinypic.com/rvd2l1.png
> http://i41.tinypic.com/2ez0n7k.png
> http://i44.tinypic.com/s49rsy.png
> http://i39.tinypic.com/2wew9yf.png
> http://i42.tinypic.com/2h32cqx.png
> http://i43.tinypic.com/5b8arm.png
> http://i39.tinypic.com/2ljt7js.png
> http://i40.tinypic.com/a32mbc.png
>
>
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: vpnuser
> Source Workstation:
> Error Code: 0xC000006A
>
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: vpnuser
> Domain: VPNSERVER
> Logon Type: 3
> Logon Process: IAS
> Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Workstation Name:
> Caller User Name: VPNSERVER$
> Caller Domain: WORKGROUP
> Caller Logon ID: (0x0,0x3E7)
> Caller Process ID: 832
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
>
> Thank You for any help!
>
>

SPAP is Shiva's protocol. I don't think you are using a Shiva device, so I
wouldn't even imagine why you would have that set. I haven't seen one in
over 12 years.

When I setup a VPN server, I try to use the KISS method (keep it short and
simple), and only set it to just MSCHAP and MSCHAP2. If you do that, does it
work? CHAP is used by *nix devices or other non-Windows connections.

Also, another big question, does it work without IAS? Try to eliminate the
complexity to find out where it is going wrong. If it works with using RRAS
directly, then I would go to the next step and setup IAS.

Any reason why not just use DHCP? This way you get all the DHCP options
across, such as WINS, etc.

I don't remember the password length, but if your domain requirements are
set to default, meaning it must be a complex password, it should be
followed, unless you disabled that setting in the Def Domain GPO?


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
(E-Mail Removed)

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

> http://i43.tinypic.com/rvd2l1.png

Looks fine

> http://i41.tinypic.com/2ez0n7k.png

Looks fine

> http://i44.tinypic.com/s49rsy.png

Looks fine

> http://i39.tinypic.com/2wew9yf.png

This might be a problem. I understand you said the VPNSERVER and the
CLIENT were on the same network segment, but if your using your
VPNSERVER as a secure way to access a remote network, then "Routing"
needs to be checked to access any other remote network beyond the
VPNSERVER.

> http://i42.tinypic.com/2h32cqx.png

At the bottom you have "Allow custom IPSec Policy for L2TP connection"
and it looks like you have a pre-shared key typed in. If the client
doesn't also have this key configured, the connection will fail.

> http://i43.tinypic.com/5b8arm.png

Looks fine

> http://i39.tinypic.com/2ljt7js.png

Generally, if you have a DHCP server on the network, you wouldn't want
to configure a static address pool, as Ace had mentioned. Also, is the
scope of the static address pool in the same subnet as the network you
are trying to access from the VPNSERVER? If not, you wont be able to
access anything beyond the VPNSERVER.

> http://i40.tinypic.com/a32mbc.png

Not really applicable unless you were using ISDN or multiple modems to
establish the vpn connection

I know for MS-CHAP v1 the password cannot exceed 14 characters, but as
Ace had mentioned, any non-windows machine is going to use CHAP
anyways. I would also agree with Ace's advise about using the password
requirements for your domain, if you are on one.

Speaking of Domain or Workgroup, the account you are using to
establish the connection must either be in AD or configured in the
local SAM of the VPNSERVER if it is a workgroup. If you are on a
domain and have an account in AD, I would suggest looking at the
Remote Access Policies in Routing and Remote Access. Is the username a
member of a group that hasn't been configured with a Remote Access
Policy? Does the AD account have dial-in permissions? Also the client,
server, and policy all have to be configured with at least one common
authentication protocol and encryption strength.

Hope this helps.

"Ace Fekay [Microsoft Certified Trainer]" <(E-Mail Removed)>
wrote in message news:e9$(E-Mail Removed)...
| "George Valkov" <(E-Mail Removed)> wrote in message
| news:%(E-Mail Removed)...
| > Today I set a VPNSERVER running Windows 2003 SP2.
| > Here's how it's planned:
| > VPNSERVER and CLIENTPC (windows XP SP2) are on the same LAN segment,
| > CLIENTPC connects to VPNSERVER, user "vpnuser" with password "1" is
| > Allowed
| > to connect.
| > In reality however I can only connect using Optional encription and PAP
or
| > SPAP, despite that the server is configured to also accept CHAP, MS-CHAP
| > and
| > MS-CHAP v2.
| >
| > If I try to use any of the CHAP protocols I get unknown user name or
| > password error. I set the user password to "1" so that cannot possibly
| > mistype it, but still I get this error, and after a few logon attempts
the
| > user account gets locked out.
| >
| > 1. Any ideas what is going on here?
| > 2. Is there a password length limit for SPAP? I was able to logon with a
| > 10
| > char pass, but when I tried the other account that has a 50 chars pass,
it
| > failed. I didn't get unknow user name and password thought, it showed
some
| > other error.
| >
| >
| > PS: Since I failed to use CHAP, I enabled IPSec, just to make the SPAP
| > session a bit more secure ;-) SPAP+IPSec with a shared secret works
| > properly.
| >
| >
| > Here are a few screenshots of server's the configuration:
| > http://i43.tinypic.com/rvd2l1.png
| > http://i41.tinypic.com/2ez0n7k.png
| > http://i44.tinypic.com/s49rsy.png
| > http://i39.tinypic.com/2wew9yf.png
| > http://i42.tinypic.com/2h32cqx.png
| > http://i43.tinypic.com/5b8arm.png
| > http://i39.tinypic.com/2ljt7js.png
| > http://i40.tinypic.com/a32mbc.png
| >
| >
| > Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
| > Logon account: vpnuser
| > Source Workstation:
| > Error Code: 0xC000006A
| >
| > Logon Failure:
| > Reason: Unknown user name or bad password
| > User Name: vpnuser
| > Domain: VPNSERVER
| > Logon Type: 3
| > Logon Process: IAS
| > Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
| > Workstation Name:
| > Caller User Name: VPNSERVER$
| > Caller Domain: WORKGROUP
| > Caller Logon ID: (0x0,0x3E7)
| > Caller Process ID: 832
| > Transited Services: -
| > Source Network Address: -
| > Source Port: -
| >
| >
| > Thank You for any help!
| >
| >
|
| SPAP is Shiva's protocol. I don't think you are using a Shiva device, so I
| wouldn't even imagine why you would have that set. I haven't seen one in
| over 12 years.
| When I setup a VPN server, I try to use the KISS method (keep it short and
| simple), and only set it to just MSCHAP and MSCHAP2. If you do that, does
it
| work? CHAP is used by *nix devices or other non-Windows connections.

Hello Ace!
I'd be happy to use MSCHAP or MSCHAP2, unfortunately they didn't work so I
tried PAP and SPAP as a fallback.


| Also, another big question, does it work without IAS? Try to eliminate the
| complexity to find out where it is going wrong. If it works with using
RRAS
| directly, then I would go to the next step and setup IAS.

There is no IAS. That's not a corporate network, so I guess I wouldn't spend
money on IAS. I have a license for Win2003 on my home PC and I decided to
bring the PC from my other home in the same network with it. And so made use
of the VPN functionality and enabled RRAS. But I guess it didn't work with
the default confing on the server and on the XP client :-(
Any better ideas how to bring the two computers to the same LAN and share
files as a network drive?

|
| Any reason why not just use DHCP? This way you get all the DHCP options
| across, such as WINS, etc.

I don't need DNS WINS or any advanced functionality. RDP and HTTPS are
already over SSL, so just needed to establish File and Printer sharing.
The server has static internet accessible IP. The ISP won't let me have
another IP, so I decided to set a VPN. I am currently on the client PC, I
established a successfull connection through a NAT router to the VPN server
using SPAP. I'll also tried MSCHAP2, but I got unknown username or bad
password again.


|
| I don't remember the password length, but if your domain requirements are
| set to default, meaning it must be a complex password, it should be
| followed, unless you disabled that setting in the Def Domain GPO?

There is no domain, this is a stand alone home server running Windows 2003
SP2 Ent.


Thank You for the replay, Ace! George Valkov

BWT the screen-shots only work when copy-pasted in the browser.

|
|
| --
| Ace
|
| This posting is provided "AS-IS" with no warranties or guarantees and
| confers no rights.
|
| Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
| Microsoft Certified Trainer
| (E-Mail Removed)
|
| For urgent issues, you may want to contact Microsoft PSS directly. Please
| check http://support.microsoft.com for regional support phone numbers.
|
| "Efficiency is doing things right; effectiveness is doing the right
| things." - Peter F. Drucker
| http://twitter.com/acefekay
|
|

"George Valkov" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello Ace!
> I'd be happy to use MSCHAP or MSCHAP2, unfortunately they didn't work so I
> tried PAP and SPAP as a fallback.
>

I'm somewhat surprised it is not working, because XP will use MSCHAP2.
MSCHAP was designed back in the NT4 days, but graduated to MSCHAP2 with
Windows 2000 and newer.

> There is no IAS. That's not a corporate network, so I guess I wouldn't
> spend
> money on IAS.


IAS is FREE. It is part of the operating system. The error you provided was
an IAS error.


> I have a license for Win2003 on my home PC and I decided to
> bring the PC from my other home in the same network with it. And so made
> use
> of the VPN functionality and enabled RRAS. But I guess it didn't work with
> the default confing on the server and on the XP client :-(
> Any better ideas how to bring the two computers to the same LAN and share
> files as a network drive?
>
> I don't need DNS WINS or any advanced functionality. RDP and HTTPS are
> already over SSL, so just needed to establish File and Printer sharing.
> The server has static internet accessible IP. The ISP won't let me have
> another IP, so I decided to set a VPN. I am currently on the client PC, I
> established a successfull connection through a NAT router to the VPN
> server
> using SPAP. I'll also tried MSCHAP2, but I got unknown username or bad
> password again.

If you are not using DNS, then it needs some other form of name resolution
to "find" your internal resources and because you are not using AD, then DNS
is not necessarily required internally, but in your case WINS will be needed
otherwise how will it find the internal resources by name? If you have a
mapped drive by name, such as \\servername\sharename, how is the client side
resolver to resolve the internal servername?

As far as why MSCHAP2 is not working, seems to point to a simple RRAS
misconfiguration. Believe me, I've set this up in my sleep without problems
numerous times, as an interim solution for companies until I got their Cisco
ASA in place for hardware based VPN with the Cisco client.


>
> Thank You for the replay, Ace! George Valkov

You are welcome.

>
> BWT the screen-shots only work when copy-pasted in the browser.

They were somewhat difficult to open individually. Would have been nicer if
they were jpgs and all in one page so I can compare the pics side by side.


See if these articles work to help set it up.

================================================== ================================================== ==
================================================== ================================================== ==

How to setup RRAS as a VPN server

Routing and Remote Access Blog : VPN server deployment: IP
http://blogs.technet.com/rrasblog/ar...20/457653.aspx

Microsoft Windows Server 2008: A Beginner's Guide - Google Books Resultby
Marty Matthews - 2008 - Computers - 592 pages
SET UP A VPN SERVER VPN, like RAS, has both client and server components.
http://books.google.com/books?id=Rm0...esult&resnum=8

VPN Setup - multiple links on how to setup RRAS, VPN and a client
www.chicagotech.net/vpnsetup.htm

================================================== ================================================== ==
================================================== ================================================== ==


Ace

"Matrixx333" <(E-Mail Removed)> wrote in message
news:ffd8287f-27ed-4638-8923-(E-Mail Removed)...

>
> Speaking of Domain or Workgroup, the account you are using to
> establish the connection must either be in AD or configured in the
> local SAM of the VPNSERVER if it is a workgroup. If you are on a
> domain and have an account in AD, I would suggest looking at the
> Remote Access Policies in Routing and Remote Access. Is the username a
> member of a group that hasn't been configured with a Remote Access
> Policy? Does the AD account have dial-in permissions? Also the client,
> server, and policy all have to be configured with at least one common
> authentication protocol and encryption strength.
>
> Hope this helps.


Good point, Matrixx! I didn't ask where the user account was created.

Ace

"Matrixx333" wrote in message
news:ffd8287f-27ed-4638-8923-(E-Mail Removed)...
| > http://i43.tinypic.com/rvd2l1.png
|
| Looks fine
|
| > http://i41.tinypic.com/2ez0n7k.png
|
| Looks fine
|
| > http://i44.tinypic.com/s49rsy.png
|
| Looks fine
|
| > http://i39.tinypic.com/2wew9yf.png
|
| This might be a problem. I understand you said the VPNSERVER and the
| CLIENT were on the same network segment, but if your using your
| VPNSERVER as a secure way to access a remote network, then "Routing"
| needs to be checked to access any other remote network beyond the
| VPNSERVER.

I think that the answer to that remark would be: Router is not needed,
because the real client computer can tunel through it's local NAT router,
travel the Intrenet, join the VPN and access the server, when this feature
is disabled.

Initialy the Router feature was enabled and I tried either sub-options...
either way, if I use CHAP I'll get unknown user name or password error. I
disabled the Router, because I didn't want to have features enabled that I
can do without.

When I wrote my first message, I decided to omit a few details - some that I
thought were less important, so that we can focus on: why I get the "unknown
user name or password" error. Here are the details:

My aim is to put the server and the client on the same LAN (VPN) so that
they can use File and Printer Sharing. The client already has internet
connectivity so the VPN server does not need to offer that to the client.
Infact initially the server did offer that functionality, but that caused a
problem with my ISP:
in short, the client decided to access the internet from the VPN interface,
the server rerouted that to the gateway of the ISP, which received a packet
from the MAC of the server, but with IP that my ISP has assigned to the
client PC. Their security system decided that the server was trying to steel
the IP address of the client and they blocked access to server's MAC. After
4 phone calls to unblock the server internet connection we finaly figured
out what exactly happens so I took measures to prevent the VPN side from
accessing anything outside it's scope. - I disabled Router and assigned
proper IP filtering.

I said that the VPNSERVER and client are on the same LAN. Sure they already
have File and Printer sharing, but that's only a laptop I had in hand for
the test. The real client computer is in another town and is behind a NAT
router, so it has to join the VPN.

Or...? Hm, would it be possible to use IPSec and create tunnel for all ports
used by File and Printer Sharing between the server and a client that is
behind a NAT router? If yes than I don't need to set a VPN.




| > http://i42.tinypic.com/2h32cqx.png
|
| At the bottom you have "Allow custom IPSec Policy for L2TP connection"
| and it looks like you have a pre-shared key typed in. If the client
| doesn't also have this key configured, the connection will fail.

I am aware of that, but notice that it says "Allow" and not "Force".
According to my tests, if the client does not enable ISPec it will still
connect without security. And if the client enables IPSec and enters a
correct preshared key, it will establish a secure tunnel for the VPN
connection, despite it's still using PAP or SPAP and unsecured VPN.


|
| > http://i43.tinypic.com/5b8arm.png
|
| Looks fine
|
| > http://i39.tinypic.com/2ljt7js.png
|
| Generally, if you have a DHCP server on the network, you wouldn't want
| to configure a static address pool, as Ace had mentioned. Also, is the
| scope of the static address pool in the same subnet as the network you
| are trying to access from the VPNSERVER? If not, you wont be able to
| access anything beyond the VPNSERVER.

And than the VPN server will relay the DHCP to that DHCP server, instead of
the static pool that I configured. But I don't need additional DHCP server.
There will be only two hosts in the VPN, the VPNSERVER and the client. I was
also planning to assign a static IP on the user account's Dial-in
configuration page.



| > http://i40.tinypic.com/a32mbc.png
|
| Not really applicable unless you were using ISDN or multiple modems to
| establish the vpn connection

Thanks for the remark!


| I know for MS-CHAP v1 the password cannot exceed 14 characters, but as
| Ace had mentioned, any non-windows machine is going to use CHAP
| anyways. I would also agree with Ace's advise about using the password
| requirements for your domain, if you are on one.

I think that this answers one of my questions!
Probably PAP ans SPAP are limited to 14 characters too.
I'm not panning to have non windows clients for now.
The password "1" was temporary set for testing only. By default my server
has the complex password requirements and minimum password length set to 10.

This reminds me that the password policy on the server is even more secure.
I just thought about what setting could be the cause:

Local Security Policy/ Local Policies/ Security Options/
Network security: Do not store LAN Manager hash value on next password
change
=ENABLED

Since the LM hash is not stored, it can't be attacked, and the NTLM hash is
supposed to be much harder to crack (not to mention that ackount lockout is
enabled). If some one tries to logon using a LM has, since there's no LM
hash stored, the logical result would be "unknown user name and password".

And if that is the case, would it be possible to force the use of NTLM hash
for authentication, I don't want to relay on the LM hash?

EDIT:
I created a password that has both NTLM and with LM hashes, but still get
"unknown user name or bad password".


I have also altered a few other settings to make my server even more secure
(but they are probably not related to my problem):
Network security: LAN Manager authentication level
=Send NTLMv2 response only\refuse LM & NTLM

Network security: Minimum session security for NTLM SSP based (including
secure RPC) clients
Network security: Minimum session security for NTLM SSP based (including
secure RPC) servers
=Require message integrity;
Require message confidentiality;
Require NTLMv2 session security;
Require 128-bit encryption.




| Speaking of Domain or Workgroup, the account you are using to
| establish the connection must either be in AD or configured in the
| local SAM of the VPNSERVER if it is a workgroup.

Yes, it is allowed to dial-in in the SAM on the VPNSERVER.

| If you are on a
| domain and have an account in AD, I would suggest looking at the
| Remote Access Policies in Routing and Remote Access. Is the username a
| member of a group that hasn't been configured with a Remote Access
| Policy? Does the AD account have dial-in permissions? Also the client,
| server, and policy all have to be configured with at least one common
| authentication protocol and encryption strength.
| Hope this helps.

Thank You, Matrixx333! :-)

George Valkov

"George Valkov" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> My aim is to put the server and the client on the same LAN (VPN) so that
> they can use File and Printer Sharing. The client already has internet
> connectivity so the VPN server does not need to offer that to the client.
> Infact initially the server did offer that functionality, but that caused
> a
> problem with my ISP:
> in short, the client decided to access the internet from the VPN
> interface,
> the server rerouted that to the gateway of the ISP, which received a
> packet
> from the MAC of the server, but with IP that my ISP has assigned to the
> client PC. Their security system decided that the server was trying to
> steel
> the IP address of the client and they blocked access to server's MAC.
> After
> 4 phone calls to unblock the server internet connection we finaly figured
> out what exactly happens so I took measures to prevent the VPN side from
> accessing anything outside it's scope. - I disabled Router and assigned
> proper IP filtering.

Some ISPs block inbound VPN connection capabilities. I know Comcast is one
of them, but they will allow outbound and established to come back in, but
not initial inbound. This prevents users from creating VPN and other type of
servers (mail, web, ftp, etc).


>
> I said that the VPNSERVER and client are on the same LAN. Sure they
> already
> have File and Printer sharing, but that's only a laptop I had in hand for
> the test. The real client computer is in another town and is behind a NAT
> router, so it has to join the VPN.


Usually this is not a problem. It is done everyday by remote users
connecting to their company networks.


>
> Or...? Hm, would it be possible to use IPSec and create tunnel for all
> ports
> used by File and Printer Sharing between the server and a client that is
> behind a NAT router? If yes than I don't need to set a VPN.
>

This also may be affected by the router, if it is allowing or not allowin
VPN pass-through (as what LinkSys calls it). By default, I believe IPSec
tunnels are allowed through, but don't quote me on that. YOu will have to
check the router docs and settings.


>
> I am aware of that, but notice that it says "Allow" and not "Force".
> According to my tests, if the client does not enable ISPec it will still
> connect without security. And if the client enables IPSec and enters a
> correct preshared key, it will establish a secure tunnel for the VPN
> connection, despite it's still using PAP or SPAP and unsecured VPN.

VPNs are secured connections. There really is no "unsecured VPN" in the
context of your sentence. The password will dicate how the client
establishes the secured connection. If the password is weak, or using a weak
method, then it is easier for anyone to crack it and create their own
secured connection.


> And than the VPN server will relay the DHCP to that DHCP server, instead
> of
> the static pool that I configured. But I don't need additional DHCP
> server.
> There will be only two hosts in the VPN, the VPNSERVER and the client. I
> was
> also planning to assign a static IP on the user account's Dial-in
> configuration page.

Relay the DHCP Request, not relay "DHCP," but I'm sure that's what you
meant.

>
> This reminds me that the password policy on the server is even more
> secure.
> I just thought about what setting could be the cause:
>
> Local Security Policy/ Local Policies/ Security Options/
> Network security: Do not store LAN Manager hash value on next password
> change
> =ENABLED

The Password Policy on a DC would be at the domain level, wihch will affect
all user accounts. This is in the Default Domain Policy. Under
Computer-Windows Settings-Security Settings-Password Settings.

If on a local machine, it would be in the Local Security Policy
(administrative tools), or in the Local GPO (gpedit.msc).

THe setting you mentioned above is how the server will handle password and
the LanMan hashes. Changes this is usually only done to allow backward
compatibility for older legacy Windows clients, or for non-Windows clients.
So there really is no reason to change this in yoru scenario.


> EDIT:
> I created a password that has both NTLM and with LM hashes, but still get
> "unknown user name or bad password".
>
> I have also altered a few other settings to make my server even more
> secure
> (but they are probably not related to my problem):
> Network security: LAN Manager authentication level
> =Send NTLMv2 response only\refuse LM & NTLM
>
> Network security: Minimum session security for NTLM SSP based (including
> secure RPC) clients
> Network security: Minimum session security for NTLM SSP based (including
> secure RPC) servers
> =Require message integrity;
> Require message confidentiality;
> Require NTLMv2 session security;
> Require 128-bit encryption.
>
>

Honestly all these changes you are making are not needed to setup a simple
VPN server. I think you are looking at the whole thing as looking at an
elephant under a microscope. This is not required. Let's try to go back to
basics and get this setup and working first, then start making changes to
test your security levels.


>
>
> | Speaking of Domain or Workgroup, the account you are using to
> | establish the connection must either be in AD or configured in the
> | local SAM of the VPNSERVER if it is a workgroup.
>
> Yes, it is allowed to dial-in in the SAM on the VPNSERVER.
>

So this is a standalone machine. Ok, that clears it up a bit, and actually
makes it easier.

By the way, did those links I provided you help in anyway?

Ace

"Ace Fekay [Microsoft Certified Trainer]" <(E-Mail Removed)>
wrote in message news:(E-Mail Removed)...
| "George Valkov" <(E-Mail Removed)> wrote in message
| news:(E-Mail Removed)...
| > Hello Ace!
| > I'd be happy to use MSCHAP or MSCHAP2, unfortunately they didn't work so
I
| > tried PAP and SPAP as a fallback.
| >
|
| I'm somewhat surprised it is not working, because XP will use MSCHAP2.
| MSCHAP was designed back in the NT4 days, but graduated to MSCHAP2 with
| Windows 2000 and newer.

Me too. The default configuration not working didn't match my expectation
for "logical". (when I started working on this, there was some default
configuration that didn't work). So I looked in every setting that I could
find on the server and played with it. Unless if something else is broken on
the server - It's been 3 years since I installed it, and I also use it as a
workstation (it's my only PC).

|
| > There is no IAS. That's not a corporate network, so I guess I wouldn't
| > spend
| > money on IAS.
|
|
| IAS is FREE. It is part of the operating system. The error you provided
was
| an IAS error.

My bad, I'll try to learn about Internet Authentication Service.


| > I have a license for Win2003 on my home PC and I decided to
| > bring the PC from my other home in the same network with it. And so made
| > use
| > of the VPN functionality and enabled RRAS. But I guess it didn't work
with
| > the default confing on the server and on the XP client :-(
| > Any better ideas how to bring the two computers to the same LAN and
share
| > files as a network drive?
| >
| > I don't need DNS WINS or any advanced functionality. RDP and HTTPS are
| > already over SSL, so just needed to establish File and Printer sharing.
| > The server has static internet accessible IP. The ISP won't let me have
| > another IP, so I decided to set a VPN. I am currently on the client PC,
I
| > established a successfull connection through a NAT router to the VPN
| > server
| > using SPAP. I'll also tried MSCHAP2, but I got unknown username or bad
| > password again.
|
| If you are not using DNS, then it needs some other form of name resolution
| to "find" your internal resources and because you are not using AD, then
DNS
| is not necessarily required internally, but in your case WINS will be
needed
| otherwise how will it find the internal resources by name? If you have a
| mapped drive by name, such as \\servername\sharename, how is the client
side
| resolver to resolve the internal servername?

I am using the IP address of the server. At least for now:
\\192.168.1.1\share
DNS and WINS are to make life easier, when there are many computers. For a
single computer there's the HOSTS file ;-)


| As far as why MSCHAP2 is not working, seems to point to a simple RRAS
| misconfiguration. Believe me, I've set this up in my sleep without
problems
| numerous times, as an interim solution for companies until I got their
Cisco
| ASA in place for hardware based VPN with the Cisco client.

It's possible that I've messes something up with the configuration, I was
very overloaded with tasks this Tuesday. I have a trial version of Windows
2008. I will try to set the VPN server there just for a test and post back
when I have results from it.

| >
| > Thank You for the replay, Ace! George Valkov
|
| You are welcome.

:-)

| >
| > BWT the screen-shots only work when copy-pasted in the browser.
|
| They were somewhat difficult to open individually. Would have been nicer
if
| they were jpgs and all in one page so I can compare the pics side by side.

PNG format it better for screenshots and graphics. JPG files are larger and
usualy doesn't look good. But You did actually mean archived together like
this:
http://www.mediafire.com/file/manyy3...9-05-04_VPN.7z



| See if these articles work to help set it up.
================================================== ================================================== ==
|
================================================== ================================================== ==
|
| How to setup RRAS as a VPN server
|
| Routing and Remote Access Blog : VPN server deployment: IP
| http://blogs.technet.com/rrasblog/ar...20/457653.aspx
|
| Microsoft Windows Server 2008: A Beginner's Guide - Google Books Resultby
| Marty Matthews - 2008 - Computers - 592 pages
| SET UP A VPN SERVER VPN, like RAS, has both client and server components.
|
http://books.google.com/books?id=Rm0...esult&resnum=8
|
| VPN Setup - multiple links on how to setup RRAS, VPN and a client
| www.chicagotech.net/vpnsetup.htm
|
|
================================================== ================================================== ==
|
================================================== ================================================== ==
|
| Ace
|

Thank You, Ace! I added them to my collection of links and I'll try to find
some free time during the weekend for reading!

George Valkov

"George Valkov" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Me too. The default configuration not working didn't match my expectation
> for "logical". (when I started working on this, there was some default
> configuration that didn't work). So I looked in every setting that I could
> find on the server and played with it. Unless if something else is broken
> on
> the server - It's been 3 years since I installed it, and I also use it as
> a
> workstation (it's my only PC).

2003 as a workstation???


> My bad, I'll try to learn about Internet Authentication Service.

It's Microsoft's implementation of RADIUS.


> I am using the IP address of the server. At least for now:
> \\192.168.1.1\share
> DNS and WINS are to make life easier, when there are many computers. For a
> single computer there's the HOSTS file ;-)

I hate hosts files. Rather use DNS. :-)


> It's possible that I've messes something up with the configuration, I was
> very overloaded with tasks this Tuesday. I have a trial version of Windows
> 2008. I will try to set the VPN server there just for a test and post back
> when I have results from it.

I'm begininning to think since it is your workstation, who knows what's
installed on it by this time, especially after 3 years of use. Firewall, ZA
formerly installed on it (known issue), antispyware, security software,
operating systems issues,.............

> PNG format it better for screenshots and graphics. JPG files are larger
> and
> usualy doesn't look good. But You did actually mean archived together like
> this:
> http://www.mediafire.com/file/manyy3...9-05-04_VPN.7z

A little better, but I was thinking more of a bunch of thumbnail pics on the
site where you click on one and the full version opens. This eliminates
downloading them one by one to open, and you can view the thumbnails, as
long as big enough, side by side for comparison.


> Thank You, Ace! I added them to my collection of links and I'll try to
> find
> some free time during the weekend for reading!
>
> George Valkov

Cheers!

Ace