Error 930 connecting via VPN to a member server, to a DC works fine

  • Thread starter Thread starter Alexandre Wendt Shima
  • Start date Start date
A

Alexandre Wendt Shima

Hi,

I'm having a problem while trying to connect via VPN to a member server.
I'm getting a "Error 930: The authentication server did not respond to
authentication requests in a timely fashion" message in the client and at
the server's event log.
I have found two articles in Microsoft KB pointing to possible solutions to
this problem, but none of them worked:

Error Message: Error 930; The Authentication Server Did Not Respond to
Authentication Requests in a Timely Fashion
http://support.microsoft.com/?kbid=299684

And

Routing and Remote Access Server Stops Authenticating Dial-Up Networking
Clients
http://support.microsoft.com/defaul...port/kb/articles/Q227/7/47.ASP&NoWebContent=1

I have made two tests to isolate the problem, and in both situations the VPN
works:

1) I have promoted the member server to a DC for my existing Domain, VPN
works fine
2) I have promoted the member server to a DC for a new Domain, VPN works
fine

I can't figure out why the member server cannot authenticate the users in my
Domain.

Can anyone help me?

Thanks a lot,

Alexandre
 
Make sure the member VPN server is only pointing at the DNS server that hosts the AD DNS zone. Otherwise it may be having difficulty finding a DC to
authenticate against. Additonally, make sure that you are passing the domain name in the logon request from the client.

Thank you,
Mike Johnston
Microsoft Network Support

--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
 
Also take a look at 826899 "Error 930" Error Message When You Use a VPN Connection to Log On to a
http://support.microsoft.com/?id=826899.

Thank you,
Mike Johnston
Microsoft Network Support

--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
 
Hi Mike

The server is using the right DNS server, it's one installed on a DC (with
AD integrated zone).
I'm passing the domain in the logon request too.
Everything else that needs authentication are working fine on this server
(local login, network, shares, web sites requiring authentication).

The server has a brand new installation with all the patches and service
packs installed and nothing else.
The server account in the domain belongs to the "RAS and IAS Servers" group.

Do you know a way to log what is happening behind this process to help
isolate the problem (RRAS log, AD log, etc)?

Thanks a lot!

Alexandre


Michael Johnston said:
Make sure the member VPN server is only pointing at the DNS server that
hosts the AD DNS zone. Otherwise it may be having difficulty finding a DC
to
authenticate against. Additonally, make sure that you are passing the
domain name in the logon request from the client.
Thank you,
Mike Johnston
Microsoft Network Support
rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 
Hi Mike,

This is what is happening at the domain controller.
Every group of information bellow is a security event on the domain
controller's Security Log (all Success Audit, there was no failure audits).
You can see all the login process here (tickets, etc).
I don't know what's wrong yet... :(

FW1 is the VPN server.
DOMINIO3 is the DC.

Thanks again,

Alexandre




Account Used for Logon by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Account Name:
Shima
Workstation:

Account Used for Logon by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Account Name:
Shima
Workstation:

Successful Network Logon:
User Name: FW1$
Domain: DOMAIN
Logon ID: (0x0,0xA2B3EF)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:

User Logoff:
User Name: FW1$
Domain: DOMAIN
Logon ID: (0x0,0xA2B3EF)
Logon Type: 3

Authentication Ticket Granted:
User Name: FW1$
Supplied Realm Name: DOMAIN
User ID: DOMAIN\FW1$
Service Name: krbtgt
Service ID: DOMAIN\krbtgt
Ticket Options: 0x40810010
Ticket Encryption Type: 0x17
Pre-Authentication Type: 2
Client Address: 192.168.20.14

Service Ticket Granted:
User Name: FW1$
User Domain: DOMAIN
Service Name: DOMINIO3$
Service ID: DOMAIN\DOMINIO3$
Ticket Options: 0x40810010
Ticket Encryption Type: 0x17
Client Address: 192.168.20.14

Successful Network Logon:
User Name: FW1$
Domain: DOMAIN
Logon ID: (0x0,0xA2B408)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:

User Logoff:
User Name: FW1$
Domain: DOMAIN
Logon ID: (0x0,0xA2B408)
Logon Type: 3





Michael Johnston said:
Also take a look at 826899 "Error 930" Error Message When You Use a VPN Connection to Log On to a
http://support.microsoft.com/?id=826899.

Thank you,
Mike Johnston
Microsoft Network Support
rights. Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.
 
Back
Top