Welcome to ISAserver.org

VPN Authentication Problem

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> VPN >> VPN Authentication Problem

Page: [1]

Message

<< Older Topic Newer Topic >>

VPN Authentication Problem - 23.Jul.2008 1:50:21 PM

itsallwright

Posts: 6
Joined: 13.Mar.2008
Status: offline

I have 2 NLB ISA 2006 Ent servers in an array running Windows Server 2003 R2 SP2 and joined to the domain. When I try to VPN in, authentication takes a really long time if it works at all (sometimes it times out).

VPN configuration:
- VPN is enabled
- Assigned a domain group with vpn users as members.
- Both PPTP and L2TP are selected for Protocols.
- User Mapping is unchecked.

- External network selected under access networks.
- Address Assignment is set to Static Pool.
- Authentication is set as MS-CHAPv2.
- No RADIUS selected.

In the System log on the ISA server that handled the request, I see several of the following events.

Event Type: Warning
Event Source: RemoteAccess
Event Category: None
Event ID: 20189
Date:  7/23/2008
Time:  12:33:57 PM
User:  N/A
Computer: ISAServer
Description:
The user <Domain>\<UserName> connected from x.x.x.x but failed an authentication attempt due to the following reason: Authentication was not successful because an unknown user name or incorrect password was used.

In the Security log of the Domain Controller (Server 2008 x64), I see several of these events.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/23/2008 12:34:12 PM
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      DC.mydomain.com
Description:
The domain controller attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: <UserName>
Source Workstation:
Error Code: 0xc000006a

I researched the error code listed above and it means:
0xC000006A - The value provided as the current password is not correct

The previous events are followed by the following single event upon success (if it doesn't time out).

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/23/2008 12:34:12 PM
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DC.mydomain.com
Description:
The domain controller attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: <UserName>
Source Workstation:
Error Code: 0x0

If I use a local account on the ISA server, it works almost instantly as expected.

Any suggestions to a solution would be greatly appreciated.

Thanks,
Jay

Post #: 1

Featured Links*

RE: VPN Authentication Problem - 24.Jul.2008 7:49:59 PM

itsallwright

Posts: 6
Joined: 13.Mar.2008
Status: offline

OK, more info... I just discovered that VPN authentication works instantly as expected when I go to the primary external IP of either ISA server. It only shows these symptoms when I go to the load balanced IP.

I tried disabling network load balancing integration and it still worked to the external IP (obviously not to the NLB IP) on both servers. I then enabled NLB again and still have the same symptom I started with.

Any idea what might be wrong with NLB?

Thanks,
Jay

(in reply to itsallwright)

Post #: 2

RE: VPN Authentication Problem - 8.Aug.2008 9:56:39 AM

itsallwright

Posts: 6
Joined: 13.Mar.2008
Status: offline

Does anyone have any suggestions to help me figure this out? I am at a loss. The only thing I can think to do now is to rebuild both ISA servers in the array. I really don't want to do this.

Let me know if I can provide any more details to help troubleshoot this problem.

Thank you,
Jay

(in reply to itsallwright)

Post #: 3