Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Win2K RAS without Active Directory

Status
Not open for further replies.
dan

dan

MIS
Oct 7, 1998
298
0
16
US
Is it possible to use Win2K RAS without Active Directory? We currently are adding Win2K boxes but do not plan to migrate to AD until the summer. We are authenticating to our NT Domains for access. However, when I try to connect to the Win2K RAS box, I get an logon authentication failure. I only have PAP authentication enabled. Any suggestions?
Dan Dan
 
Sort by date Sort by votes
I presume you are using RRAS in Windows 2000 server.
We have been doing that with an NT domain for some time.

I am using MS-chap v2. and MS-chap as the allowed authentication methods. Works well.

If you still have failures with MS-CHAP, clip the text so we can see the exact failure message.

Are you using Windows clients?
PPTP? or what?

And the answer to Matt's question would be useful too.
Dana
 
Upvote 0 Downvote
We are using dialin only from standard Win XP box with modem (also some Win 98 boxes). When I dial-up, the modem answers; I get a message "authenticating"; then

"Error 691: Access denied because username and/or password is invalid on the domain.

I tried two different accounts and can logon with either to our old RAS server on NT4SP6a.

The old server is a BDC while the new server is Win2K member server.

Any suggestions would be welcomed.
Dan Dan
 
Upvote 0 Downvote
The RRAS server and the domain controller should give you more info in evenvwr. Check them as well.

Did you set it to MS-chap authentication yet?
Dana
 
Upvote 0 Downvote
I have tried PAP, MS-CHAP and MS-CHAPv2. I enabled each one at a time on both client and server. I still got the error 691. I also tried enabling all the methods and got the same result. The accounts are enabled for remote access (they can connect to the old RAS server.

Last week, I was getting the following messages in event viewer:
"The user has connected and failed to authenticate on port COM1. The line has been disconnected."
"The user ADMIN\MGRDAN has connected and failed to authenticate on port COM1. The line has been disconnected."
"The user ADMIN\MGRDAN failed an authentication attempt due to the following reason: The user attempted to use an unauthorized authentication method."

In the RRAS log, I was getting:
172.20.2.54,,03/26/2003,15:54:28,RAS,GAB2,44,1,40,8,4108,172.20.2.54,0,,4136,4,4142,0
172.20.2.54,,03/26/2003,15:57:45,RAS,GAB2,44,2,40,7,4108,172.20.2.54,0,,4136,4,4142,0
172.20.2.54,,03/26/2003,16:37:55,RAS,GAB2,44,2,40,8,4108,172.20.2.54,0,,4136,4,4142,0
172.20.2.54,,03/26/2003,16:38:00,RAS,GAB2,44,3,40,7,4108,172.20.2.54,0,,4136,4,4142,0
172.20.2.54,,03/27/2003,08:57:25,RAS,GAB2,44,3,40,8,4108,172.20.2.54,0,,4136,4,4142,0
172.20.2.54,,03/27/2003,08:57:34,RAS,GAB2,44,4,40,7,4108,172.20.2.54,0,,4136,4,4142,0
172.20.2.54,ADMIN\MGRDAN,03/27/2003,09:01:46,RAS,GAB2,6,2,7,1,5,11,61,0,77,0x0D0A434F4E4E4543542033313230302F4152512F5633342F4C41504D2F5634324249530D0A,4108,172.20.2.54,0,,4147,311,4148,MSRASV5.00,4129,ADMIN\MGRDAN,4130,ADMIN\MGRDAN,4127,1,25,311 1 172.20.2.54 03/27/2003 13:57:34 1,4136,1,4142,0
172.20.2.54,ADMIN\MGRDAN,03/27/2003,09:01:46,RAS,GAB2,25,311 1 172.20.2.54 03/27/2003 13:57:34 1,4149,Allow access if dial-in permission is enabled,4127,1,4130,ADMIN\MGRDAN,4129,ADMIN\MGRDAN,4136,3,4142,66
172.20.2.54,ADMIN\MGRDAN,03/27/2003,09:02:45,RAS,GAB2,6,2,7,1,5,11,61,0,77,0x0D0A434F4E4E4543542033313230302F4152512F5633342F4C41504D2F5634324249530D0A,4108,172.20.2.54,0,,4147,311,4148,MSRASV5.00,4129,ADMIN\MGRDAN,4130,ADMIN\MGRDAN,4127,1,25,311 1 172.20.2.54 03/27/2003 13:57:34 2,4136,1,4142,0
172.20.2.54,ADMIN\MGRDAN,03/27/2003,09:02:45,RAS,GAB2,25,311 1 172.20.2.54 03/27/2003 13:57:34 2,4149,Allow access if dial-in permission is enabled,4127,1,4130,ADMIN\MGRDAN,4129,ADMIN\MGRDAN,4136,3,4142,66
172.20.2.54,ADMIN\ddotter,03/27/2003,09:03:47,RAS,GAB2,6,2,7,1,5,11,61,0,77,0x0D0A434F4E4E4543542033313230302F4152512F5633342F4C41504D2F5634324249530D0A,4108,172.20.2.54,0,,4147,311,4148,MSRASV5.00,4129,ADMIN\ddotter,4130,ADMIN\ddotter,4127,1,25,311 1 172.20.2.54 03/27/2003 13:57:34 3,4136,1,4142,0
172.20.2.54,ADMIN\ddotter,03/27/2003,09:03:47,RAS,GAB2,25,311 1 172.20.2.54 03/27/2003 13:57:34 3,4149,Allow access if dial-in permission is enabled,4127,1,4130,ADMIN\ddotter,4129,ADMIN\ddotter,4136,3,4142,65
172.20.2.54,ADMIN\ddotter,03/27/2003,09:05:12,RAS,GAB2,6,2,7,1,5,11,61,0,77,0x0D0A434F4E4E4543542033313230302F4152512F5633342F4C41504D2F5634324249530D0A,4108,172.20.2.54,0,,4147,311,4148,MSRASV5.00,4129,ADMIN\ddotter,4130,ADMIN\ddotter,4127,1,25,311 1 172.20.2.54 03/27/2003 13:57:34 4,4136,1,4142,0
172.20.2.54,ADMIN\ddotter,03/27/2003,09:05:12,RAS,GAB2,25,311 1 172.20.2.54 03/27/2003 13:57:34 4,4149,Allow access if dial-in permission is enabled,4127,1,4130,ADMIN\ddotter,4129,ADMIN\ddotter,4136,3,4142,66
172.20.2.54,ADMIN\MGRDAN,03/27/2003,09:07:27,RAS,GAB2,6,2,7,1,5,11,61,0,77,0x0D0A434F4E4E4543542033313230302F4152512F5633342F4C41504D2F5634324249530D0A,4108,172.20.2.54,0,,4147,311,4148,MSRASV5.00,4129,ADMIN\MGRDAN,4130,ADMIN\MGRDAN,4127,1,25,311 1 172.20.2.54 03/27/2003 13:57:34 5,4136,1,4142,0
172.20.2.54,ADMIN\MGRDAN,03/27/2003,09:07:27,RAS,GAB2,25,311 1 172.20.2.54 03/27/2003 13:57:34 5,4149,Allow access if dial-in permission is enabled,4127,1,4130,ADMIN\MGRDAN,4129,ADMIN\MGRDAN,4136,3,4142,66
172.20.2.54,GAB2\MGRDAN,03/27/2003,09:11:09,RAS,GAB2,6,2,7,1,5,11,61,0,77,0x0D0A434F4E4E4543542033313230302F4152512F5633342F4C41504D2F5634324249530D0A,4108,172.20.2.54,0,,4147,311,4148,MSRASV5.00,4129,GAB2\MGRDAN,4130,GAB2\MGRDAN,4127,1,25,311 1 172.20.2.54 03/27/2003 13:57:34 6,4136,1,4142,0
172.20.2.54,GAB2\MGRDAN,03/27/2003,09:11:09,RAS,GAB2,25,311 1 172.20.2.54 03/27/2003 13:57:34 6,4127,1,4130,GAB2\MGRDAN,4129,GAB2\MGRDAN,4136,3,4142,48
172.20.2.54,,03/27/2003,11:56:26,RAS,GAB2,6,2,7,1,5,11,61,0,77,0x0D0A434F4E4E4543542033313230302F4152512F5633342F4C41504D2F5634324249530D0A,4108,172.20.2.54,0,,4147,311,4148,MSRASV5.00,4129,MAIL\Guest,4130,MAIL\Guest,4127,7,25,311 1 172.20.2.54 03/27/2003 13:57:34 7,4136,1,4142,0
172.20.2.54,,03/27/2003,11:56:26,RAS,GAB2,25,311 1 172.20.2.54 03/27/2003 13:57:34 7,4127,7,4130,MAIL\Guest,4129,MAIL\Guest,4136,3,4142,48
172.20.2.54,,03/27/2003,12:00:20,RAS,GAB2,6,2,7,1,5,11,61,0,77,0x0D0A434F4E4E4543542033313230302F4152512F5633342F4C41504D2F5634324249530D0A,4108,172.20.2.54,0,,4147,311,4148,MSRASV5.00,4129,MAIL\Guest,4130,MAIL\Guest,4127,7,25,311 1 172.20.2.54 03/27/2003 13:57:34 8,4136,1,4142,0
172.20.2.54,,03/27/2003,12:00:20,RAS,GAB2,25,311 1 172.20.2.54 03/27/2003 13:57:34 8,4127,7,4130,MAIL\Guest,4129,MAIL\Guest,4136,3,4142,48
172.20.2.54,,03/27/2003,12:09:52,RAS,GAB2,6,2,7,1,5,11,61,0,77,0x0D0A434F4E4E4543542033313230302F4152512F5633342F4C41504D2F5634324249530D0A,4108,172.20.2.54,0,,4147,311,4148,MSRASV5.00,4129,MAIL\Guest,4130,MAIL\Guest,4127,7,25,311 1 172.20.2.54 03/27/2003 13:57:34 9,4136,1,4142,0
172.20.2.54,,03/27/2003,12:09:52,RAS,GAB2,25,311 1 172.20.2.54 03/27/2003 13:57:34 9,4127,7,4130,MAIL\Guest,4129,MAIL\Guest,4136,3,4142,48
172.20.2.54,,03/27/2003,12:11:52,RAS,GAB2,6,2,7,1,5,11,61,0,77,0x0D0A434F4E4E4543542033313230302F4152512F5633342F4C41504D2F5634324249530D0A,4108,172.20.2.54,0,,4147,311,4148,MSRASV5.00,4129,MAIL\Guest,4130,MAIL\Guest,4127,7,25,311 1 172.20.2.54 03/27/2003 13:57:34 10,4136,1,4142,0
172.20.2.54,,03/27/2003,12:11:52,RAS,GAB2,25,311 1 172.20.2.54 03/27/2003 13:57:34 10,4127,7,4130,MAIL\Guest,4129,MAIL\Guest,4136,3,4142,48

However, today, I am not getting anything in either event viewer or RRAS log.
Dan
Dan
 
Upvote 0 Downvote
dmandell-
Are you saying that you are running RRAS with only NT domains and no Active Directory?
Dan Dan
 
Upvote 0 Downvote
Dan,
until last week, (when we installed AD) we were running that way for two years.
But now that you have indicated that you are using it with dialup, I must clarify that we were using it for Microsoft VPN. But the rules setup is the same.

The eventlog clip you showed a user MGRDAN in domain ADMIN. Is this correct? If this is really user MGRDAN on computer ADMIN, you need to look at how your dialup client is setup, and make sure you are using the DOMAIN account for authentication.

Your log should show something like this:
"RRAS server name","RAS",04/02/2003,08:55:19,4,"NT-DOMAIN\username, etc...

You can also try for testing purposes by actually putting domain\username in the username box of your Windows dial-up connection dialog on the client.

I am presuming that you already have the following checked in your dialup client.(under options)
"Prompt for name and Password, etc"
"Include Windows login domain"

Hope this helps,
Dana
 
Upvote 0 Downvote
It seems you have modem driver's problem, try use this machine as a client to connect to your old NT4SP6a or connect it to an ISP to see if it works properly or not ?!

If this is the point then delete the modem and reinstall the modem driver or change another modem for some modem it can dial out or can accept incoming call but after that they can do nothing.
 
Upvote 0 Downvote
deanhsiao-
I was using the same computer and modem to connect to the old RAS server.

dmandell-
You are right, the user mgrdan is in the admin domain. I do have all the settings you mentioned in the client.

From this do I conclude that dialup to RRAS will not work without AD?
Dan
 
Upvote 0 Downvote
I think deanhsiao is saying "Check the modem attached to your new RRAS server to be sure it is working correctly" (Not the client side modem)

I do not know your complete setup. Is the RRAS server in the same domain as the user? or is there a proper trust relationship setup between the two domains?

I really believe that the dialup will work properly without AD in an NT 4 environment.
Dana
 
Upvote 0 Downvote
The RRAS modem was actually the same one that I used on the old RAS server. I just plugged the modem into the other server. Dan
 
Upvote 0 Downvote
Dan, Assuming the answer to my last questions is "yes" have you tried using DOMAIN\username in the username field of the client? Seriously, we had to do this to get proper authentication until we got our settings straightened out. It might help in your troubleshooting.
Dana
 
Upvote 0 Downvote
Yes, I have tried that. It didn't work either. Dan
 
Upvote 0 Downvote
...and what were the results in the log files?
You should also be checking the domain controller for the authentication request, This may help shed some light on the failure too.
 
Upvote 0 Downvote
Nothing shows up in either log file or event viewer.
Dan
 
Upvote 0 Downvote
If there is a success, you should see an event in the System log (eventvwr) on the RRAS computer, and a login success in the Security log (eventvwr) of the DC

If there is a failure, you should see an event in the Security log (eventvwr) of the RRAS computer, nothing in the system log (eventvwr) of the RRAS computer,

If nothing shows up anywhere, either somehow the logging got turned off, or your RRAS services are no longer running.

Is it worth restarting the server and trying again?
 
Upvote 0 Downvote
Have you tried to use a client computer that connect to this server with NIC connection without problem ?! then, disconnect this computer by pull out the LAN cable and use a modem to connect to this server again especialy use the same user name but the same problem you got now ?!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

julis2103
  • Locked
  • Question
Active Directory
Replies
0
Views
77
julis2103
julis2103
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
268
goombawaho
goombawaho
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
284
fredmartinmaine
fredmartinmaine
geneg28
  • Locked
  • Question
Active Directory and Linux Servers
Replies
0
Views
72
geneg28
geneg28
axilleas
  • Locked
  • Question
Windows 2012 R2 Active directory problem after applying GPO
Replies
7
Views
126
technome
technome

Part and Inventory Search

Sponsor

Back
Top