L2TP/IPsec VPN connections to a Windows RAS Server fail when using the MS-CHAPv2 authentication method.
Other symptoms experienced may include.....
The end user will typically receive an error message similar to the following:
error 691 “The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.
Additionally, the domain user's bad password count can increment, resulting in an account lockout.
This can occur when the LmCompatibilityLevel settings on the authenticating DC has been modified from the defaults.
For example, if you set this value to 5 (Send NTLMv2 response only. Refuse LM & NTLM ), then the DC will not accept any requests that use NTLM authentication. RAS in Windows Server 2003, 2008, and 2008 R2 default to NTLM to hash the password when MS-CHAP or MS-CHAPv2 are configured. Because the DC will only accept NTLMv2 the request will be denied.
NOTE: Additional tests you can perform to confirm this is the issue include:
- Test a clear text method such as PAP. As the password is not hashed authentication should succeed
(WARNING: PAP authentication should be used for testing only)
- You can also test MS-CHAPv2 using credentials configured locally on the RAS server. Because there is no request sent to the DC in this scenario, authentication should succeed.
If for whatever reason you 'must' use MS-CHAPv2, you can enable NTLMv2 authentication is RAS by adding the following registry entry:
1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then click the following registry subkey:
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type Enable NTLMv2 Compatibility, and then press ENTER.
5. On the Edit menu, click Modify.
6. In the Value data box, type 1, and then click OK.
Quit Registry Editor.
A user is not successfully authenticated when NTLMv2 authentication is used on a Windows Server 2003-based IAS server