Re: Handheld device remote networking issues into RAS

From: "nosurfdj" <nosurfdj@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 23 Jan 2006 11:20:04 -0800

I set "Store password using reverisble encryption for all users in the
domain" on the default domain policy-this setting is found in
computer/security/account polcies/password policy.
I then tested one of the handhelds, and I was not able to connect. Same
thing happened that always happened.
Am I setting it in the wrong location?

"Bill Grant" wrote:

> The message you quote tells you why CHAP isn't working. It needs the
> reversibly encrypted password option. This is off by default in server 2003.
>
> nosurfdj wrote:
> > We have a bunch of NEC MobilePros, mainly 770, 780, 790s that remote
> > users use to dial in to our RAS server.
> > Everything was working fine until we moved RAS to a Windows 2003
> > server, from a NT Server.
> > The handhelds will dial and connect to the server, but as soon as that
> > happens there is a message displayed on the handhelds that says:
> > responding to authentication challenge
> >
> > Another window pops up almost simultaneously that says:
> > Disconnected.
> >
> > I checked the event log on the server and found this warning event:
> > Source-Remote Access
> > Event ID 20187
> > The user domain\user failed an authentication attempt due to the
> > following reason: The user could not be authenticated using Challenge
> > Handshake Authentication Protocol (CHAP). A reversibly encrypted
> > password does not exist for this user account. To ensure that
> > reversibly encrypted passwords are enabled, check either the domain
> > password policy or the password settings on the user account.
> >
> > There is another event right after it, same source
> > Event ID 20014
> > The user domain\user has connected and failed to authenticate on port
> > COM1. The line has been disconnected.
> >
> > I don't understand why I'm getting this second event. I've created a
> > policy in Routing and Remote Access to allow the group that the
> > account is in to be granted
> > remote access permission.
> > And in regard to the first event, I don't understand why CHAP won't
> > work-I've enabled the policy to allow CHAP authentication, as well as
> > others.
> >
> > I've also checked some of the logs on the server and found some
> > information, but I haven't found much information on it and what it
> > means exactly.
> >
> > from RASAUTH log
> > [4056] 10:35:31:668: IASResponse = 2, FailureReason = 0x13
> >
> > from RASCHAP log
> > [3184] 01-10 10:35:31:637: CS_ChallengeSent...
> > [3184] 01-10 10:35:31:668: ChapMakeMessage,RBuf=00000000
> > [3184] 01-10 10:35:31:668: Result=691,Tries=2
> > [3184] 01-10 10:35:31:668: CS_Done...
> >
> > FROM IASSAM log
> > [4056] 01-10 10:35:31:668: LogonUser failed: The specified directory
> > service attribute or value does not exist.
> >
> > from PPP log
> > 3184] 01-10 10:35:31:668: Auth Protocol c223 terminated with error 691
> >
> > from RASMAN
> > Disconnecting Port 0xCOM1, reason 0
> >
> > In Active Directory, I've also disabled 2 settings that could cause
> > problems: computer config/windows settings/security settings/local
> > policies/security option
> > Microsoft network server: digitally sign communications (always)
> > Microsoft network client: digitally sign communications (always)
> >
> > I understand that there is also a setting in AD that will store all
> > passwords with reversible encryption, but it is considered a security
> > risk. I haven't tried changing this setting and then dialing in. I
> > hope there's other options.
> >
> > Any help is appreciated.
>
>
>
.

Follow-Ups:
- Re: Handheld device remote networking issues into RAS
  - From: Bill Grant

References:
- Re: Handheld device remote networking issues into RAS
  - From: Bill Grant

Prev by Date: Porfast connection info on Windows ?
Next by Date: Re: Porfast connection info on Windows ?
Previous by thread: Re: Handheld device remote networking issues into RAS
Next by thread: Re: Handheld device remote networking issues into RAS
Index(es):
- Date
- Thread

Relevant Pages

Re: Help with SSL for Exchange 2003
... and Outlook, however, I cannot get SMTP to work properly. ... If I select SSL encryption the error I get is: "Your server does not ... Event Category: Authentication ...
(microsoft.public.exchange.admin)
Re: Help with SSL for Exchange 2003
... and Outlook, however, I cannot get SMTP to work properly. ... If I select SSL encryption the error I get is: "Your server does not ... Event Category: Authentication ...
(microsoft.public.exchange.admin)
Re: Fast User Switching in Domain Member mode / Authentication Tic
... > desktop computers and 1 SBS Server) ... >> authentication which would only exist on a domain computer. ... No public key encryption is used. ... >> you would have a robust authentication method for workgroup computers. ...
(microsoft.public.security)
Re: Fast User Switching in Domain Member mode / Authentication Tic
... > desktop computers and 1 SBS Server) ... >> authentication which would only exist on a domain computer. ... No public key encryption is used. ... >> you would have a robust authentication method for workgroup computers. ...
(microsoft.public.windowsxp.security_admin)
Re: Fast User Switching in Domain Member mode / Authentication Tic
... > desktop computers and 1 SBS Server) ... >> authentication which would only exist on a domain computer. ... No public key encryption is used. ... >> you would have a robust authentication method for workgroup computers. ...
(microsoft.public.platformsdk.security)