none
Issues with VPN driving me mad. RRS feed

  • Question

  • About 3 months ago I configured a VPN to our corporate server using the PPTP protocol.

    Connecting to windows server 2012 essentials, via windows 7.

    There's only me connecting, so I created a new user and gave this user dial in access via AD Users and Computers.

    Connected and ran fine.

    After about a month, I couldn't connect via VPN, the connection failed on verifying username and password. error 629.

    (luckily I have other methods to gain access).

    I connected via other means, gave a different account dial in access, changed the authentication info in my VPN connection and could connect again.

    Now another month has passed and the second user is failing with the same error.

    If I create a whole new account for my VPN access, I can connect again, but not with either of the two previuos accounts.

    The second account is a domain admin, works fine while I'm on site, I've no authentication issues on the domain.

    I'm confused why the domain has no authentication problems but the VPN does.

    I spent the best part of the day trying to figure out why I can't vpn via my main domain admin account, but can with a freshly created one. I fear that this fresh one is going to do the same in a months time.

    Any ideas anyone, it's driving me bonkers


    • Edited by Keat63 Friday, June 21, 2019 2:53 PM
    Friday, June 21, 2019 2:52 PM

All replies

  • You should use the wizard from the Essentials Dashboard to setup VPN.

    Mariëtte Knap [alumna Microsoft SBS MVP]
    www.server-essentials.com | Linkedin | Migrations done the easy way
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Friday, June 21, 2019 3:14 PM
  • VPN is setup on the server, running fine, and has been for about 3 months.

    The VPN dashboard is reporting no errors, everything is fine.

    The issue I'm facing is connecting to the VPN from a remote location.

    Today, I spent most of the day trying to figure out why 'domainadmin@mydomain.local' was failing with authentication problems.

    But a freshly created user 'newuser@mydomain.local' could connect without issue.

    I can log on to the server locally or administer any PC in the building with domainadmin, but can't authenticate on the VPN.

    I'm now at home, I can connect to the VPN using the credentials 'newuser@mydomain.local', but not using the domainadmins account.

    From home on my Windows10 PC, trying to connect to the VPN on the domainadmins accountI receive the following error.

    The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile.

    If I edit the connection profile to the 'newuser' I can connect without issue.

    The only thing I changed is the username and password.

    It's as if the domainadmins account is locked out, but only out of VPN ????

    I've even gone as far as removing the remote access role through server manager, and rebuilding it.

    But still the same with this user.

    I removed the previous user which had failed a month ago, recreated the account, same issue.

    I just can't fathom whats going on.




    • Edited by Keat63 Friday, June 21, 2019 4:03 PM
    Friday, June 21, 2019 3:59 PM
  • Hi,

    Based on your description, my understanding is that VPN stops working for existing user credentials after a period of time, and it is still working for new created account. 

    >Now another month has passed and the second user is failing with the same error. If I create a whole new account for my VPN access, I can connect again, but not with either of the two previuos accounts.
    If problem occurs timely, please check applied group policies and NPS policies to confirm that if there is any policies may have effect on this problem.

    > The only thing I changed is the username and password.
    I want to confirm with you if VPN problem only happens ager changing user name/password? 

    Please enable and configure NPS log file and confirm that if there is any helpful information can be logged:
    https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-accounting-configure#configure-nps-log-file-properties

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 24, 2019 3:32 AM
    Moderator
  • It seems that my time related theory and new users was incorrect.

    The new user which I created on Friday has the same fault, and another new accoun t can't connect either.

    So something else is going on.

    I created the NPS log, but it means nothing to me.

    <Event><Timestamp data_type="4">06/24/2019 08:42:25.573</Timestamp><Computer-Name data_type="1">SERVERNAME</Computer-Name><Event-Source data_type="1">RAS</Event-Source><Class data_type="1">311 1 fe80::5efe:10.10.1.10 06/20/2019 18:49:11 135</Class><Fully-Qualifed-User-Name data_type="1">MYDOMAIN\vpn</Fully-Qualifed-User-Name><SAM-Account-Name data_type="1">MYDOMAIN\vpn</SAM-Account-Name><Provider-Type data_type="0">1</Provider-Type><Proxy-Policy-Name data_type="1">Microsoft Routing and Remote Access Service Policy</Proxy-Policy-Name><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">64</Reason-Code></Event>

    Monday, June 24, 2019 7:46 AM
  • Hi,

    Is it multi-homed server system? If so, please make sure that the PPTP clients establish the connection to the first IP address that is bound to the PPTP server's public network interface. Also make sure that you configure the default gateway on the server to the interface that receives the connection attempt. 

    Besides, please check both client and server and try to find relate event log (Event Viewer) about the failure VPN operation.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 25, 2019 7:24 AM
    Moderator
  • Its a stand alone server.

    Whats annoying is I spent most of the day Friday trying to work this out.

    I gave up in the end and created a whole new user for the sole purpose of allowing me VPN access.

    This worked faultlessly on Friday evening.

    Nothing changed over the weekend, came to connect on Monday and the same fault.

    As there's only me connecting via VPN, i decided yesterday to remove the remote access role and create a vpn on my watchguard firebox instead.

    I've given in.

    Tuesday, June 25, 2019 8:20 AM
  • Hi,

    I am quite understanding about the inconvenience it had brought to you. 

    Below suggestion can be considered before you choose other configuration.

    Is there any 3rd party process, including anti-virus software/firewall on your server? If possible, try to disable it temporarily and check the result. 

    Besides, try to re-enable VPN function via WSE built-in Anywhere Access wizard and check the result. Also, in general, it is recommended to patch the system fully with Windows Update/Hotfix, it would be helpful for resolving some known issues and improving the performance.

    If you want to have further identification about the VPN problem, detail package tracing and log file collection/analyzing might be necessary.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 26, 2019 7:09 AM
    Moderator
  • Hi,

    How things are going there on this issue?

    Please let me know if you would like further assistance.

    Best Regards,
    Eve Wang 

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 28, 2019 3:27 AM
    Moderator
  • Hi,

    Is there any update?

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 1, 2019 3:35 AM
    Moderator
  • Hi Keat63, 

    Not sure if this helps but with the stock configuration on windows 10 you generally need to edit pptp connection properties under the security tab to "allow these security protocols" and check Microsoft CHAP version 2

    if not configured I generally see the error message you posted above "The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile."

    which is telling you that the method you are using to authenticate is in conflict not necessarily the user or password,

    The Win10 wizard defaults to EAP I believe so this usually resolves it for me connecting to older setups. 

    in all honesty pptp is dead and insecure though. You should place an ssl cert on that machine and use sstp if your clients are windows based.

    my guess is there is a script running in tasks that is firing a security audit and enforcing policy on these accounts after you create them. 

    The other option is to nuke your vpn config and use the essentials wiz to re-set it up as it will write all the network policy server configs and ACL's 

    But on the security side the watchguard ssl client is a better option all around and can be connected via LDAP if you expand to more users.

     


    • Edited by Pgariepy Wednesday, July 3, 2019 5:37 PM wrong name lol
    Wednesday, July 3, 2019 5:36 PM