Error message when you try to connect a Windows XP-based computer to a network by using a virtual private network (VPN) connection: "Access denied because username and&or password is invalid on the domain"

When you try to connect a Windows XP-based computer to a network by using a virtual private network (VPN) connection, you may receive the following error message:This problem occurs if one of the following conditions is true:

1. The password to access the network has expired.
2. The administrator has enabled the User must change password at next logon option for the user account.

This problem occurs because a third-party Remote Access Service (RAS) device modifies the error message incorrectly. Therefore, you receive the error message instead of a warning message.

Note The warning message informs a VPN client that the network password has expired.

Information from the Internet Authentication Service (IAS) server

When this problem occurs, the IAS server sends an Access-Reject packet to the RAS device. In the Access-Reject packet, the error code is 648. This error code represents the ERROR_PASSWD_EXPIRED error. Additionally, the Lassam.log file of the IAS server contains the following information:

The user's password must be changed before logging on the first time.

Information from the VPN client

Client RASCHAP log

The following is an example of the client RASCHAP log:The error code in the RASCHAP log is 691. Additionally, the network trace indicates that the error code is 691. The following is an example of the network trace:The 691 error code represents the following error message: A third-party RAS device may cause this problem if the third-party RAS device incorrectly converts the 648 error code to the 691 error code.

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.