Re: Win2K3 domain account connecting to Win2K VPN server in an NT4
- From: "AI" <{adi-spf4}{remove this text and the braces}@avivausa.com>
- Date: Fri, 28 Oct 2005 08:23:03 -0700
Believe me, I've searched the MS KB and googled this error up and down, and
I've seen all the basic stuff. The suggestion made in the troubleshooting
tip you linked to is exactly what I was referring to in my last bullet point
- since the server is not in the AD domain, you can't add it to the AD
domain's RAS and IAS Servers group, which is a Domain Local group. Also,
there's really no reason why it would need to be in this group, since it's
not in the AD domain in the first place – it should authenticate AD accounts
using pass-through authentication, not by contacting the AD domain
controllers directly.
You're suggesting reconfiguring RRAS, but remember that RRAS is *not*
broken. NT4 accounts can still authenticate, and the server is currently
running, *in production*. The only thing that isn't working is that accounts
that are migrated to AD can no longer authenticate, even though the profile
has been migrated, and their VPN connection properties have not changed (yes,
I verified that my test accounts could connect to the VPN before migrating
them).
Furthermore, we actually have *two* ISA VPN servers (with VPNs configured
identically). They're both authenticating NT4 domain accounts, and they're
both rejecting AD domain accounts in exactly the same way, so that pretty
much rules out a server malfunction.
"Robert L [MS-MVP]" wrote:
> re-configure the RRAS may fix the problem. or check this troubleshooting tips,
>
> VPN error code
> Receiving VPN error 619 while connecting to a VPN via SBC ... VPN Error 930 -
> The authentication server did not respond to authentication requests in a ...
> www.chicagotech.net/vpnerrors.htm
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
> "AI" <{adi-spf4}{remove this text and the braces}@avivausa.com> wrote in message news:3D8611AE-B33A-4282-BF72-59A45C01DF9A@xxxxxxxxxxxxxxxx
> I have a Windows 2000 VPN server (running ISA 2000) that is a member of a
> Windows NT 4.0 domain. I have set up a Windows 2003 Active Directory domain,
> running in Native Mode, and I am testing migrating the Windows NT 4.0
> accounts to the new domain. The problem is that when I migrate accounts
> (with the ADMT) from NT4 to AD, those accounts can no longer be authenticated
> by the VPN server. When I try to connect from the client, I receive the
> following error:
>
> Verifying username and password...
> Error 930: The authentication server did not respond to authentication
> request in a timely fashion.
>
> On the VPN server, the following event is logged:
>
> Event ID: 20073
> Source: RemoteAccess
> Description: The following error occurred in the Point to Point Protocol
> module on port: VPN<##>, UserName: <ADDOMAIN\username>. The authentication
> server did not respond to authentication requests in a timely fashion.
>
> - In the AD domain, the Everyone group is a member of the Pre-Windows 2000
> Compatible group.
> - I have set up trusts in both directions between the domains, and have
> verified that the trusts are functioning properly.
> - The VPN server is configured to use Windows authentication, not RADIUS.
> - Accounts in the NT4 domain are still able to authenticate. Accounts that
> are able to authenticate to the VPN when they are in the NT4 domain lose
> access when they are migrated to the AD domain, so that pretty much rules out
> any issues with a mismatch in authentication protocols or configuration on
> the user account’s Dial-In tab (although I did verify that dial-in access is
> still allowed in the account properties after the migration).
> - When the account is migrated, the user profile is also migrated, so the
> configuration of the VPN connection must be correct (it was working when the
> account was in the NT4 domain).
> - The connection protocol is PPTP.
> - Before anyone says anything about adding the ISA/VPN server’s account to
> the RAS and ISA Servers group in the AD domain, remember that it’s the *user*
> that is in the AD domain, whereas the server is in the NT4 domain (and
> therefore cannot be added to a Domain Local group in the AD domain).
>
> Based on what I’ve read, my configuration – an AD user connecting to a VPN
> server in an NT4 domain using pass-through authentication – should work fine
> as long as the Everyone group is in the Pre-Windows 2000 Compatible group in
> the AD domain. What am I missing?
>
.
- References:
- Re: Win2K3 domain account connecting to Win2K VPN server in an NT4 dom
- From: Robert L [MS-MVP]
- Re: Win2K3 domain account connecting to Win2K VPN server in an NT4 dom
- Prev by Date: Re: Win2K3 domain account connecting to Win2K VPN server in an NT4 dom
- Next by Date: Re: How do I disable NetBIOS on RRAS interface?
- Previous by thread: Re: Win2K3 domain account connecting to Win2K VPN server in an NT4 dom
- Next by thread: Re: How do I disable NetBIOS on RRAS interface?
- Index(es):
Relevant Pages
|
