Welcome to ISAserver.org

RE: vpn authentication problem

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> VPN >> RE: vpn authentication problem

Page: << < prev 1 [2]

Message

<< Older Topic Newer Topic >>

RE: vpn authentication problem - 10.Jun.2005 12:50:00 AM

ClintD

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

So it's failing when ISA tries to perform pass through authentication (the DsCrackName is an RPC call to the DC) - is there anything in the Event Viewer indicating a problem on the ISA Server? Check both System and Security logs. Are you Domain Controllers running Win2003? Do they have Service Pack 1 installed?

If so, have you installed ISA 2004 Service Pack 1?

(in reply to terryb)

Post #: 21

Featured Links*

RE: vpn authentication problem - 11.Jun.2005 3:46:00 AM

heosuavina

Posts: 6
Joined: 17.Jan.2005
From: asdf
Status: offline

HI clindt
Now, i can conect by username administrator but i can not conect by user test. And when i make conection if i use administrator@mydomain.com so i can not conect too.
i don't known what's happent?
can you explain to me?
thanks.

(in reply to terryb)

Post #: 22

RE: vpn authentication problem - 13.Jun.2005 2:04:00 AM

theRob

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline

If you have windows xp sp2, then the problem is that with ipsec\l2tp connection behind nat are not supported, to fix this problem, adding the following registry key:

1. Click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec
3. On the Edit menu, point to New, and then click DWORD Value.
4. In the New Value #1 box, type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
5. Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
6. In the Value Data box, type one of the following values: � 0 (default)
A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind network address translators.
� 1
A value of 1 configures Windows so that it can establish security associations with servers that are located behind network address translators.
� 2
A value of 2 configures Windows so that it can establish security associations when both the server and the Windows XP SP2-based client computer are behind network address translators.

7. Click OK, and then quit Registry Editor.
8. Restart the computer.

See article:

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B818043

I had the same issue as you did. After this fix everything worked fine.

Regards,

Rob

(in reply to terryb)

Post #: 23

RE: vpn authentication problem - 13.Jun.2005 4:46:00 AM

ClintD

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline

That's not the issue - he's is failing the user authentication piece - L2TP/IPSec must be online first before user authentication can take place.

As he said in his last post - he can connect with Administrator, but not other accounts so this rules out the AssumeUDPEncapsulation... registry entry.

We'd need to see the IASSAM log from the time the Administrator connects vice when the test user attempts to connect.

(in reply to terryb)

Post #: 24

RE: vpn authentication problem - 16.Jun.2005 4:57:00 AM

Andy2Long

Posts: 16
Joined: 7.Oct.2003
From: Torrance, CA
Status: offline

You might also try this KB article's fix:

How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q244474

I have not tried this myself as I was unsure from the article whether to apply the REG fix to the server, client, ISA, or all.

Andy

(in reply to terryb)

Post #: 25