none
2012 Essentials VPN error 812 - RAS/VPN Authentication method

    Question

  • Greetings,

    I am trying to solve an issues with a clients new 2012 Essentials Server. 

    2012 Essentials Server VPN was working just fine the stopped and now having 812 error for remote client trying to VPN. RemoteWebAccess via browser to just look at files, etc works fine. Only VPN fails.

    Have ran a repair on the Remote Setup on Server with no change. Checked for updates and rebooted the server, no change.

    As all the setup is done via a Wizard, not sure what could be the issue. I have ran tracing and have captured logs if that would help.

    Friday, February 22, 2013 7:17 AM

All replies

  • Have you rebooted the router?

    Have you checked the event logs of the server?

    Did you use UPnP on the router?

    Did the IP of the Essentials server change?


    Robert Pearman SBS MVP
    itauthority.co.uk | Title(Required)
    Facebook | Twitter | Linked in | Google+

    Friday, February 22, 2013 9:20 AM
    Moderator
  • Router reboot - no

    I will look at the logs of the server but I did enable tracing and have that log on the client side if that would help

    UPnP no I don't believe so - it is a sonicwall device and I couldn't find that it was UPnP compatible, but this was working before for over 1 month

    IP was static and I don't believe it has changed but will check. I can use remote access wia web to upload download etc, just not full VPN.

    Thanks for the reply

    Friday, February 22, 2013 9:19 PM
  • Was the connection on the client configured by the connector software, or did you hand create it? The reason I ask, the SSTP protocol requires MS-CHAPv2 or EAP based authentication, make sure your connection settings comply, see below:

    Error Code: 812

    Error Description:

    812: The connection was   prevented because of a policy configured on your RAS/VPN server.   Specifically, the authentication method used by the server to verify your   username and password may not match the authentication method configured in   your connection profile. Please contact the Administrator of the RAS server   and notify them of this error.

    Possible Causes: One   of the prime causes for the above error  is: when the *only* allowed   authentication protocol configured on VPN server (or Radius server) is MS-CHAP   and the VPN client is Vista or above OS platform (like Windows7). Note: due   to security reasons MS-CHAP was removed from Vista and above OS platform and   hence the connection fails.

    Error 812 comes when   Authentication protocol is set via NPS (Network Policy and Access Services).

    Event log 20276 is logged   to the event viewer when RRAS based VPN server authentication protocol   setting mismatches which that of the VPN client machine.

    Possible Solution: Configure   a more secured authentication protocol like MS-CHAPv2 or EAP based   authentication on the server – which matches the settings on the client side.

    Friday, February 22, 2013 10:15 PM
  • MaxSteve - it was created by the connector software, I also have one on my laptop whic was created by my domain connector software which I just changed the domain name and which was also working fine. I have looked at the NAP policies on the server and they are all the same as on my working Essentials server, basically all 'auto'
    Saturday, February 23, 2013 12:01 AM
  • Try changing the settings on the client VPN connection and make sure it is set like below:

    Type of VPN: Secure Socket Tunneling Protocol (SSTP)

    Check "Allow these protocols"

    Check "Microsoft CHAP Version 2 (MS-CHAP v2)"

    Saturday, February 23, 2013 4:13 AM
  • Jeff and Steve,

    Like Jeff my previously working VPN connection has stopped working with the 812 error.  Not sure where to go from here.  Created new connectoid with Steve's suggestion and still the error persists.

    James

    Sunday, February 24, 2013 10:35 PM
  • Ok, are you able to reproduce this issue with multiple users? I know that I have trouble connecting to the VPN if I use the configured Domain Admin user that is created at build time.
    Monday, February 25, 2013 1:56 PM
  • Yes, affects multiple users for me, both Admin and non-admin. Next chance I get I will verify the VPN connection settings, but they look awful familiar :(
    Tuesday, February 26, 2013 3:19 PM
  • So another follow up, partial success. By unchecking all protocols EXCEPT MSCHAPv2 I can get the VPN to work, but only if I just go to NSS while logged in and connect to that network while on my primary connection. If I do a switch user (windows 8) and attempt login via network icon that way, it fails and gives me the 'no logon server available to process your request' error. Will have my client try the same on his non-admin machine and post back.
    Tuesday, February 26, 2013 7:08 PM
  • So that worked for my client but I noticed something else. On the network connection host name, the name was set to the domain url of his company email domain = companyname.com When we switched it to the localdomainname.remotewebaccess.com at first it wouldn't resolve. NSLOOKUP didn't work either so I checked the dns settings for the wireless adapter he was using to connect while at home and it was static to the internal server. Changed to automatic and boom, worked instantly.

    Now this was all done by connecting manually from the network connections page. Next we tried using the prescribed method by MS of switch user > login via network icon at the lower left of the page............this failed. Upon rechecking our previous steps we found that doing this changed the network adapters host name again which made it fail. So we had to log back in as an admin, change the adapter setting back to the remotewebaccess.com host entry and leave it alone.

    Seems this has something to do with the connect computer wizard and the setup it does for VPN, etc.

    Truth be told I think that connecting manually via the network connections page is easier than the switch user method, but I'm not a regular user and know my way around. Sure would like to see this ironed out as the funtionality when working properly is exactly what the client needs short of running his point of sale program remotely :)

    If anyone else has further solutions especially those of you at Microsoft, I'd love to hear them.

    Wednesday, February 27, 2013 6:21 PM
  • I Fixed this issue by adding an IP range to the clients.

    I'm currently not near my server to check but.

    Server manager > remote access > right mouse on svr > Remote access management > configuration ( left top ) > right panel "vpn"  Open RRAS management >

    routing remote access > right click server name > go to ipv4 and put in a static adress pool.

    Maybe its possible to go straight to Routing remote access, but i can't find it.

    This fixed my 812 error

    Friday, March 01, 2013 2:32 PM
  • Ah, yes, I assumed that both gentlemen above had previously added a DHCP IP range, since they both indicated that the VPN connection had previously worked.

    Saturday, March 02, 2013 8:27 PM