VPN Not authenticating

  • Thread starter Thread starter Jeff
  • Start date Start date
J

Jeff

I have set up a VPN connection to our network. The VPN
server sits on an ISA server and is not a domain
controller. If I VPN in with my user name and password and
our domain name I can connect with no problem (I am a
domain admin). I can see our internal network and access
all resources. I added another domain user to the VPN
group I set up (i have given this group access permisions
on the RAS server, right now this group is the only policy
I have) but when this user tries to authenicate it gives
me a 649 - You do not have dial-in permission. If I set
this user up as a local user on the VPN server and VPN in,
I can connect, but cannot access any domain resources
because I have to use the vpn server name as the logon
domain. There is no Dialin tab in Active directory User
and Computers and I am controlling access by group policy.
The only thing I can possible see, is that my user name is
admin and on the VPN server there is a local user named
admin with administrator priviligies but again this is on
the local machine and I am able to logon and authenticate
on the domain.
Any ideas
Thanks,
Jeff
 
Your VPN server is not a domain controller, but is it a domain member?

If it is a standalone server, you will have to authenticate to its own
local SAM database. If it is a domain member, you can join it the the Domain
IAS and RAS Server group, and you can then authenticate to AD. The RRAS
server passes the authentication on to a DC (rather like RADIUS does to a
RADIUS server).
 
It is a member of the IAS and RAS group.

-----Original Message-----
Your VPN server is not a domain controller, but is it a domain member?

If it is a standalone server, you will have to authenticate to its own
local SAM database. If it is a domain member, you can join it the the Domain
IAS and RAS Server group, and you can then authenticate to AD. The RRAS
server passes the authentication on to a DC (rather like RADIUS does to a
RADIUS server).




.
Click to expand...
 
If you are authenticating to AD, the user will be granted or denied access
according to the remote access policy. To allow access based on membership
of a particular group, you need to add a new remote access policy (or modify
an existing policy) to allow access based on group membership. ie add the
condition <Windows-Groups matches "Group Name"> and select the "Grant
remote access permission" radio button.
 
Back
Top