Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Windows 2003 IAS Server + NTMLv2 authentication + Remote user log in error

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Windows 2003 IAS Server + NTMLv2 authentication + Remote user log in error Page: [1]
Login
Message << Older Topic   Newer Topic >>
Windows 2003 IAS Server + NTMLv2 authentication + Remot... - 21.Dec.2007 1:27:21 PM   
mrSinister

 

Posts: 1
Joined: 21.Dec.2007
Status: offline 		Hello all

At this point all, I am very frustrated. Here is the eternal source of my frustration.

I have a Cisco firewall (Radius Client), talking to a Windows 2003 Enterprise Edition Domain Controller which is currently running in Windows 2003 (IAS server) domain functional level. I am trying to authenticate remote users using the IAS feature on the 2k3 box. The Radius Client (Firewall) is talking to the Windows 2003 server, this has been established because of the errors I am getting in the Event Viewer logs.
 
The remote access policy allows users of the VPN group access and the Dial in Properties of users are configuered to use Remote access Policy in order to grant permission.
 
Something to note here, the Windows 2003 IAS server is also MY domain controller.

I came across several posts, and MS KB articles that talk about MS-CHAPv1 and MS-CHAPv2 only being compatible with NTMLv1 and Windows 2003 by default using NTMLv2.So, I went through the regedit that MS says will fix the issue from : http://support.microsoft.com/kb/893318. This didn't help.

I also created a new GPO on the 2k3 box under Network Security: Lan Manager authentiation level properties to use NTMLv2 responses only. I have also made sure that my clcok is in syc with the Radius Client ( firewall).
 
I have also enabled tracing the IAS log files using the netsh command utility. Here is the log:
 
[1620] 12-21 11:09:17:843: NT-SAM Names handler received request with user identity MyDomain\Myusername.
[1620] 12-21 11:09:17:843: Username is already an NT4 account name.
[1620] 12-21 11:09:17:843: SAM-Account-Name is "Mydomain\MyUsername".
[1620] 12-21 11:09:17:843: NT-SAM Authentication handler received request for MyDomain\Myusername.
[1620] 12-21 11:09:17:843: Processing MS-CHAP v2 authentication.
[1620] 12-21 11:09:17:906: LogonUser failed: Logon failure: unknown user name or bad password.


Here is the Event Log:

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date:  12/21/2007
Time:  11:09:17 AM
User:  N/A
Computer: Axxxxxxxx
Description:
User MyDomain\MyUsername was denied access.
Fully-Qualified-User-Name = MyDomain\MyUsername
NAS-IP-Address = 10.x.x.x
NAS-Identifier = <not present>
Called-Station-Identifier = x.x.x.x
Calling-Station-Identifier = x.x.x.x
Client-Friendly-Name = firewall
Client-IP-Address = 10.x.x.x
NAS-Port-Type = <not present>
NAS-Port = 180
Proxy-Policy-Name = Allow Access if dial in permission enabled
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 2e 05 07 80               ...?   


Can anyone shed some light on this matter? Thank you very much.
Post #: 1
RE: Windows 2003 IAS Server + NTMLv2 authentication + R... - 21.Dec.2007 7:53:07 PM   
Jason Jones

 

Posts: 2137
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		http://blogs.isaserver.org/shinder/2006/05/17/ntlmv2-and-isa-firewall-vpn-services-the-solution/

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to mrSinister)
Post #: 2
RE: Windows 2003 IAS Server + NTMLv2 authentication + R... - 21.Dec.2007 7:55:18 PM   
Jason Jones

 

Posts: 2137
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		ah sorry, just re-read your post and noticed you have applied the hotfix...

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jason Jones)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Windows 2003 IAS Server + NTMLv2 authentication + Remote user log in error Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts