Re: Handheld device remote networking issues into RAS

Tech-Archive recommends: Fix windows errors by optimizing your registry

No, you do not need to use the policy to have every user in the domain
use reversibly encrypted passwords. You can use the second option suggested
in the error message, of setting it in the password options of the user
account (for just the users who need this option).

The basic essential is that the users who need to connect from handhelds
using CHAP must have reversibly encrypted passwords.

nosurfdj wrote:
> I set "Store password using reverisble encryption for all users in the
> domain" on the default domain policy-this setting is found in
> computer/security/account polcies/password policy.
> I then tested one of the handhelds, and I was not able to connect.
> Same thing happened that always happened.
> Am I setting it in the wrong location?
>
> "Bill Grant" wrote:
>
>> The message you quote tells you why CHAP isn't working. It needs
>> the reversibly encrypted password option. This is off by default in
>> server 2003.
>>
>> nosurfdj wrote:
>>> We have a bunch of NEC MobilePros, mainly 770, 780, 790s that remote
>>> users use to dial in to our RAS server.
>>> Everything was working fine until we moved RAS to a Windows 2003
>>> server, from a NT Server.
>>> The handhelds will dial and connect to the server, but as soon as
>>> that happens there is a message displayed on the handhelds that
>>> says: responding to authentication challenge
>>>
>>> Another window pops up almost simultaneously that says:
>>> Disconnected.
>>>
>>> I checked the event log on the server and found this warning event:
>>> Source-Remote Access
>>> Event ID 20187
>>> The user domain\user failed an authentication attempt due to the
>>> following reason: The user could not be authenticated using
>>> Challenge Handshake Authentication Protocol (CHAP). A reversibly
>>> encrypted password does not exist for this user account. To ensure
>>> that reversibly encrypted passwords are enabled, check either the
>>> domain password policy or the password settings on the user account.
>>>
>>> There is another event right after it, same source
>>> Event ID 20014
>>> The user domain\user has connected and failed to authenticate on
>>> port COM1. The line has been disconnected.
>>>
>>> I don't understand why I'm getting this second event. I've created
>>> a policy in Routing and Remote Access to allow the group that the
>>> account is in to be granted
>>> remote access permission.
>>> And in regard to the first event, I don't understand why CHAP won't
>>> work-I've enabled the policy to allow CHAP authentication, as well
>>> as others.
>>>
>>> I've also checked some of the logs on the server and found some
>>> information, but I haven't found much information on it and what it
>>> means exactly.
>>>
>>> from RASAUTH log
>>> [4056] 10:35:31:668: IASResponse = 2, FailureReason = 0x13
>>>
>>> from RASCHAP log
>>> [3184] 01-10 10:35:31:637: CS_ChallengeSent...
>>> [3184] 01-10 10:35:31:668: ChapMakeMessage,RBuf=00000000
>>> [3184] 01-10 10:35:31:668: Result=691,Tries=2
>>> [3184] 01-10 10:35:31:668: CS_Done...
>>>
>>> FROM IASSAM log
>>> [4056] 01-10 10:35:31:668: LogonUser failed: The specified directory
>>> service attribute or value does not exist.
>>>
>>> from PPP log
>>> 3184] 01-10 10:35:31:668: Auth Protocol c223 terminated with error
>>> 691
>>>
>>> from RASMAN
>>> Disconnecting Port 0xCOM1, reason 0
>>>
>>> In Active Directory, I've also disabled 2 settings that could cause
>>> problems: computer config/windows settings/security settings/local
>>> policies/security option
>>> Microsoft network server: digitally sign communications (always)
>>> Microsoft network client: digitally sign communications (always)
>>>
>>> I understand that there is also a setting in AD that will store all
>>> passwords with reversible encryption, but it is considered a
>>> security risk. I haven't tried changing this setting and then
>>> dialing in. I hope there's other options.
>>>
>>> Any help is appreciated.


.