Users no longer authenticate on W2k-svr

[Jutta Kullmann]

Hi,

I have a W2k-svr configured for VPN using RAS. I used to
be able to make PPTP connections, but all of a sudden all
my users get an error message:

Error 691: Access was denied because the username and/or
password was invalid on the domain

I retyped all passwords, but it still fails.

I don't even know where to start looking?

Thanks for any advice.
Jutta

 

[Steven L Umbach]

If the rras server is a domain computer make sure it still has connectivity to the
domain controller in that it can ping it by fully qualified domain name such as
dc1.mydomain.com. I would also run netdiag on it from the support tools on the
install cdrom in the support/tools folder where you will have to run the setup to
install them. Look for any failed tests such as dns, dc discovery, kerberos, or
domain membership/secure channel that would indicate a problem. Usually the problem
may be dns related in that domain members need to point to the domain controllers
only as their preferred dns server. There is also a security option that if changed
on the rras server that can cause a problem. Open Local Security Policy and go to
security settings/local policies/security options and make sure that the "effective"
setting for lan manager authentication level is NOT - "send ntlmv2 responses only -
refuse ntlm and lm". Setting to send ntlmv2 responses only is a good setting in a W2K
domain. --- Steve

 

[Jutta]

Thanks for your reply.

The W2k server is a standalone server which is used for
testing. No Active Directory is configured. I also
noticed, that when just using the RUN option [\\IP address
c$] and I get a login prompt, I also cannot logon. The
error I get is: Logon failure: the user has not been
granted the requested logon type at this computer.
When I login with a user locally, the same username and
password works. It seems like remote logon is somehow
disabled.

Thank you,
Jutta

-----Original Message-----
If the rras server is a domain computer make sure it still has connectivity to the
domain controller in that it can ping it by fully qualified domain name such as
dc1.mydomain.com. I would also run netdiag on it from the support tools on the
install cdrom in the support/tools folder where you will have to run the setup to
install them. Look for any failed tests such as dns, dc discovery, kerberos, or
domain membership/secure channel that would indicate a problem. Usually the problem
may be dns related in that domain members need to point to the domain controllers
only as their preferred dns server. There is also a

security option that if changed

on the rras server that can cause a problem. Open Local Security Policy and go to
security settings/local policies/security options and make sure that the "effective"
setting for lan manager authentication level is NOT - "send ntlmv2 responses only -
refuse ntlm and lm". Setting to send ntlmv2 responses

only is a good setting in a W2K

 

[Phillip Windell]

Prefix the username with the target machinename.

ex. User: machinename\username
Password: *******

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

Thanks for your reply.

The W2k server is a standalone server which is used for
testing. No Active Directory is configured. I also
noticed, that when just using the RUN option [\\IP address
c$] and I get a login prompt, I also cannot logon. The
error I get is: Logon failure: the user has not been
granted the requested logon type at this computer.
When I login with a user locally, the same username and
password works. It seems like remote logon is somehow
disabled.

Thank you,
Jutta

-----Original Message-----
If the rras server is a domain computer make sure it still has connectivity to the
domain controller in that it can ping it by fully qualified domain name such as
dc1.mydomain.com. I would also run netdiag on it from the support tools on the
install cdrom in the support/tools folder where you will have to run the setup to
install them. Look for any failed tests such as dns, dc discovery, kerberos, or
domain membership/secure channel that would indicate a problem. Usually the problem
may be dns related in that domain members need to point to the domain controllers
only as their preferred dns server. There is also a

security option that if changed

on the rras server that can cause a problem. Open Local Security Policy and go to
security settings/local policies/security options and make sure that the "effective"
setting for lan manager authentication level is NOT - "send ntlmv2 responses only -
refuse ntlm and lm". Setting to send ntlmv2 responses

only is a good setting in a W2K

domain. --- Steve





.

 

[Steven L Umbach]

Even if the computer is not part of a domain the suggestion I made about checking lan
manger authentication level still is appropriate. Otherwise the error you mention
relates to a user not having the user right for logon locally. Open Local Security
Policy and go to security settings/local policies/user rights and make sure
administrators and users are in the "access this computer from the network" user
right and that there is no entry in the "deny access to this computer from the
network" as entries there will override the allow user rights. I would also enable
auditing of logon events on that server and then view the logs in Event Viewer
[system and security] which may show that the users are being denied access and for
what reason. --- Steve

http://www.microsoft.com/resources/...wsserv/2003/datacenter/proddocs/en-us/518.asp
-- security log events for logon events.

Thanks for your reply.

The W2k server is a standalone server which is used for
testing. No Active Directory is configured. I also
noticed, that when just using the RUN option [\\IP address
c$] and I get a login prompt, I also cannot logon. The
error I get is: Logon failure: the user has not been
granted the requested logon type at this computer.
When I login with a user locally, the same username and
password works. It seems like remote logon is somehow
disabled.

Thank you,
Jutta

-----Original Message-----
If the rras server is a domain computer make sure it still has connectivity to the
domain controller in that it can ping it by fully qualified domain name such as
dc1.mydomain.com. I would also run netdiag on it from the support tools on the
install cdrom in the support/tools folder where you will have to run the setup to
install them. Look for any failed tests such as dns, dc discovery, kerberos, or
domain membership/secure channel that would indicate a problem. Usually the problem
may be dns related in that domain members need to point to the domain controllers
only as their preferred dns server. There is also a

security option that if changed

on the rras server that can cause a problem. Open Local Security Policy and go to
security settings/local policies/security options and make sure that the "effective"
setting for lan manager authentication level is NOT - "send ntlmv2 responses only -
refuse ntlm and lm". Setting to send ntlmv2 responses

only is a good setting in a W2K

domain. --- Steve





.

 

[Jutta]

Thank you Steven, the user rights setting in the Local
Security Policy did it. I don't know why this would have
been blank, since I didn't change it and all used to work
before. Nobody is really using this server other than for
outbound remote access?

Now my PPTP clients authenticate and connect, however my
routed connection from my R9100 Netopia router doesn't. It
authenticates but it seems to fail on IP, when I am trying
to establish the connection from the router. When I am
establishing the connection from the RAS server, all is
working and I can ping LAN to LAN.

Any thoughts on this one?

Thanks,
Jutta

-----Original Message-----
Even if the computer is not part of a domain the

suggestion I made about checking lan

manger authentication level still is appropriate.

Otherwise the error you mention

relates to a user not having the user right for logon locally. Open Local Security
Policy and go to security settings/local policies/user rights and make sure
administrators and users are in the "access this computer from the network" user
right and that there is no entry in the "deny access to this computer from the
network" as entries there will override the allow user rights. I would also enable
auditing of logon events on that server and then view the logs in Event Viewer
[system and security] which may show that the users are being denied access and for
what reason. --- Steve

http://www.microsoft.com/resources/documentation/WindowsSe rv/2003/datacenter/proddocs/en-us/Default.asp?
url=/resources/documentation/windowsserv/2003/datacenter/pr
oddocs/en-us/518.asp
-- security log events for logon events.

Thanks for your reply.

The W2k server is a standalone server which is used for
testing. No Active Directory is configured. I also
noticed, that when just using the RUN option [\\IP address
c$] and I get a login prompt, I also cannot logon. The
error I get is: Logon failure: the user has not been
granted the requested logon type at this computer.
When I login with a user locally, the same username and
password works. It seems like remote logon is somehow
disabled.

Thank you,
Jutta

-----Original Message-----
If the rras server is a domain computer make sure it still has connectivity to the
domain controller in that it can ping it by fully qualified domain name such as
dc1.mydomain.com. I would also run netdiag on it from

the
support tools on the

install cdrom in the support/tools folder where you

will
have to run the setup to

install them. Look for any failed tests such as dns, dc discovery, kerberos, or
domain membership/secure channel that would indicate a problem. Usually the problem
may be dns related in that domain members need to point to the domain controllers
only as their preferred dns server. There is also a

security option that if changed

on the rras server that can cause a problem. Open Local Security Policy and go to
security settings/local policies/security options and make sure that the "effective"
setting for lan manager authentication level is NOT - "send ntlmv2 responses only -
refuse ntlm and lm". Setting to send ntlmv2 responses

only is a good setting in a W2K

domain. --- Steve


Hi,

I have a W2k-svr configured for VPN using RAS. I used to
be able to make PPTP connections, but all of a sudden all
my users get an error message:

Error 691: Access was denied because the username and/or
password was invalid on the domain

I retyped all passwords, but it still fails.

I don't even know where to start looking?

Thanks for any advice.
Jutta




.

.