G
Guest
I have a Windows 2000 VPN server (running ISA 2000) that is a member of a
Windows NT 4.0 domain. I have set up a Windows 2003 Active Directory domain,
running in Native Mode, and I am testing migrating the Windows NT 4.0
accounts to the new domain. The problem is that when I migrate accounts
(with the ADMT) from NT4 to AD, those accounts can no longer be authenticated
by the VPN server. When I try to connect from the client, I receive the
following error:
Verifying username and password...
Error 930: The authentication server did not respond to authentication
request in a timely fashion.
On the VPN server, the following event is logged:
Event ID: 20073
Source: RemoteAccess
Description: The following error occurred in the Point to Point Protocol
module on port: VPN<##>, UserName: <ADDOMAIN\username>. The authentication
server did not respond to authentication requests in a timely fashion.
- In the AD domain, the Everyone group is a member of the Pre-Windows 2000
Compatible group.
- I have set up trusts in both directions between the domains, and have
verified that the trusts are functioning properly.
- The VPN server is configured to use Windows authentication, not RADIUS.
- Accounts in the NT4 domain are still able to authenticate. Accounts that
are able to authenticate to the VPN when they are in the NT4 domain lose
access when they are migrated to the AD domain, so that pretty much rules out
any issues with a mismatch in authentication protocols or configuration on
the user account’s Dial-In tab (although I did verify that dial-in access is
still allowed in the account properties after the migration).
- When the account is migrated, the user profile is also migrated, so the
configuration of the VPN connection must be correct (it was working when the
account was in the NT4 domain).
- The connection protocol is PPTP.
- Before anyone says anything about adding the ISA/VPN server’s account to
the RAS and ISA Servers group in the AD domain, remember that it’s the *user*
that is in the AD domain, whereas the server is in the NT4 domain (and
therefore cannot be added to a Domain Local group in the AD domain).
Based on what I’ve read, my configuration – an AD user connecting to a VPN
server in an NT4 domain using pass-through authentication – should work fine
as long as the Everyone group is in the Pre-Windows 2000 Compatible group in
the AD domain. What am I missing?
Windows NT 4.0 domain. I have set up a Windows 2003 Active Directory domain,
running in Native Mode, and I am testing migrating the Windows NT 4.0
accounts to the new domain. The problem is that when I migrate accounts
(with the ADMT) from NT4 to AD, those accounts can no longer be authenticated
by the VPN server. When I try to connect from the client, I receive the
following error:
Verifying username and password...
Error 930: The authentication server did not respond to authentication
request in a timely fashion.
On the VPN server, the following event is logged:
Event ID: 20073
Source: RemoteAccess
Description: The following error occurred in the Point to Point Protocol
module on port: VPN<##>, UserName: <ADDOMAIN\username>. The authentication
server did not respond to authentication requests in a timely fashion.
- In the AD domain, the Everyone group is a member of the Pre-Windows 2000
Compatible group.
- I have set up trusts in both directions between the domains, and have
verified that the trusts are functioning properly.
- The VPN server is configured to use Windows authentication, not RADIUS.
- Accounts in the NT4 domain are still able to authenticate. Accounts that
are able to authenticate to the VPN when they are in the NT4 domain lose
access when they are migrated to the AD domain, so that pretty much rules out
any issues with a mismatch in authentication protocols or configuration on
the user account’s Dial-In tab (although I did verify that dial-in access is
still allowed in the account properties after the migration).
- When the account is migrated, the user profile is also migrated, so the
configuration of the VPN connection must be correct (it was working when the
account was in the NT4 domain).
- The connection protocol is PPTP.
- Before anyone says anything about adding the ISA/VPN server’s account to
the RAS and ISA Servers group in the AD domain, remember that it’s the *user*
that is in the AD domain, whereas the server is in the NT4 domain (and
therefore cannot be added to a Domain Local group in the AD domain).
Based on what I’ve read, my configuration – an AD user connecting to a VPN
server in an NT4 domain using pass-through authentication – should work fine
as long as the Everyone group is in the Pre-Windows 2000 Compatible group in
the AD domain. What am I missing?