Re: Handheld device remote networking issues into RAS
- From: "nosurfdj" <nosurfdj@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 23 Jan 2006 08:36:08 -0800
I know what setting you are talking about in AD to store all passwords in the
domain with reversible encryption. I've read articles that this can be a big
security risk because the passwords of all users would be stored in plain
text. If this is the only way to make it work, then that's what I have to
do. I was hoping that there might be other options.
"Bill Grant" wrote:
> The message you quote tells you why CHAP isn't working. It needs the
> reversibly encrypted password option. This is off by default in server 2003.
>
> nosurfdj wrote:
> > We have a bunch of NEC MobilePros, mainly 770, 780, 790s that remote
> > users use to dial in to our RAS server.
> > Everything was working fine until we moved RAS to a Windows 2003
> > server, from a NT Server.
> > The handhelds will dial and connect to the server, but as soon as that
> > happens there is a message displayed on the handhelds that says:
> > responding to authentication challenge
> >
> > Another window pops up almost simultaneously that says:
> > Disconnected.
> >
> > I checked the event log on the server and found this warning event:
> > Source-Remote Access
> > Event ID 20187
> > The user domain\user failed an authentication attempt due to the
> > following reason: The user could not be authenticated using Challenge
> > Handshake Authentication Protocol (CHAP). A reversibly encrypted
> > password does not exist for this user account. To ensure that
> > reversibly encrypted passwords are enabled, check either the domain
> > password policy or the password settings on the user account.
> >
> > There is another event right after it, same source
> > Event ID 20014
> > The user domain\user has connected and failed to authenticate on port
> > COM1. The line has been disconnected.
> >
> > I don't understand why I'm getting this second event. I've created a
> > policy in Routing and Remote Access to allow the group that the
> > account is in to be granted
> > remote access permission.
> > And in regard to the first event, I don't understand why CHAP won't
> > work-I've enabled the policy to allow CHAP authentication, as well as
> > others.
> >
> > I've also checked some of the logs on the server and found some
> > information, but I haven't found much information on it and what it
> > means exactly.
> >
> > from RASAUTH log
> > [4056] 10:35:31:668: IASResponse = 2, FailureReason = 0x13
> >
> > from RASCHAP log
> > [3184] 01-10 10:35:31:637: CS_ChallengeSent...
> > [3184] 01-10 10:35:31:668: ChapMakeMessage,RBuf=00000000
> > [3184] 01-10 10:35:31:668: Result=691,Tries=2
> > [3184] 01-10 10:35:31:668: CS_Done...
> >
> > FROM IASSAM log
> > [4056] 01-10 10:35:31:668: LogonUser failed: The specified directory
> > service attribute or value does not exist.
> >
> > from PPP log
> > 3184] 01-10 10:35:31:668: Auth Protocol c223 terminated with error 691
> >
> > from RASMAN
> > Disconnecting Port 0xCOM1, reason 0
> >
> > In Active Directory, I've also disabled 2 settings that could cause
> > problems: computer config/windows settings/security settings/local
> > policies/security option
> > Microsoft network server: digitally sign communications (always)
> > Microsoft network client: digitally sign communications (always)
> >
> > I understand that there is also a setting in AD that will store all
> > passwords with reversible encryption, but it is considered a security
> > risk. I haven't tried changing this setting and then dialing in. I
> > hope there's other options.
> >
> > Any help is appreciated.
>
>
>
.
- References:
- Re: Handheld device remote networking issues into RAS
- From: Bill Grant
- Re: Handheld device remote networking issues into RAS
- Prev by Date: Re: sever 2k3 standard, 2 questions
- Next by Date: Porfast connection info on Windows ?
- Previous by thread: Re: Handheld device remote networking issues into RAS
- Next by thread: Re: Handheld device remote networking issues into RAS
- Index(es):
Relevant Pages
|
