CHAP on RRAS VPN Fails to authenticate

  • Thread starter Thread starter David Hodgson
  • Start date Start date
D

David Hodgson

Folks,

I have a Windows 2000 PPTP VPN setup I want it to only allow CHAP
authentication. I have a local user setup on the same machine.

All windows 2000 clients cannot connect to PPTP using CHAP, if I set up both
the server and client to use MS-CHAP then it works fine.

This is a test rig for a UNIX machine which will be the client, this is why
I need CHAP. The VPN sits on a DMZ and is not part of the domain.

I have done the following:

-------------------------
on Server

RRAS

right click "server-name"
select "properties"
select "Security Tab"
select "Authentication Methods"
remove MS-CHAP and MS-CHAPv2
select CHAP

Verified that user doesn't use any RRAS policies
---------------------------------------------

on Client

VPN Dialup

properties
security tab
Select Advanced
select Settings
remove MS-CHAP and MS-CHAPv2
select CHAP

----------------------------------------------

have I missed anything???

thanks
Dave
 
You should enable "Store Passwords using reversible encryption" on your user
accounts.

This setting might be with the user properties or with either of the below:
the Local Security Policy->Password Policy
DomainSecurityPolicy->Passwork Policy
 
That never worked.

do I need to re-create the user?

I have rebooted the machine and in the local security policy " Store
Passwrods ......." is now enabled.

Dave
 
You need to reset the password of the user
or
change the user account option to change password on next logon

This should work.
 
Hi Manjari,

I reset the password and it now passes authentication, thankyou, but I now
get the following error....

Error 741: The local computer does not support the required data encryption
type.

I have made sure that "Optional Encryption (connect even if no encryption)"
is selected on the client. I have also looked at the server and can't see
where I would select such an option.

thanks again
Dave
 
Hi Manjari,

thankyou for your help. I have now found the culprit, a remote access policy
with "No Encryption" de-selected.

Although the user does not use a remote access policy it must have some
effect.

thankyou
Dave
 
Back
Top