"Error 691" error message when you log on to a Windows Server 2003-based computer or a Windows 2000-based computer that is running Routing and Remote Access or Internet Authentication Service

Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry


When you try to log on to a Microsoft Windows Server 2003-based computer or a Microsoft Windows 2000 Server-based computer that is running the Routing and Remote Access service or Internet Authentication Service (IAS), you may receive an error message that is similar to the following:
Error 691 Access denied because username or password, or both, are not valid on the domain.


This behavior occurs when you log on to the Windows Server 2003-based computer or the Windows 2000-based computer from a Microsoft Windows 95, Windows 98, Windows Millennium Edition, or Windows NT 4.0-based client computer.

By default, Routing and Remote Access and Internet Authentication Service on Windows Server 2003 and on Windows 2000 do not support clients that use LAN Manager authentication with Microsoft Challenge Handshake Authentication Protocol version 1(MS-CHAP v1). Windows 2000-based clients and Windows XP-based clients do not use LAN Manager authentication with MS-CHAP v1 and do not experience this problem.


To resolve this behavior, use one of the following methods:

Method 1

Change the remote access policy on your server to permit only MS-CHAP v2 authentication. Use this method only if all your dial-up clients or virtual private network (VPN) clients support MS-CHAP v2 authentication. To do this, follow these steps:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
  2. Right-click the server name that you want to enable authentication protocols for, and then click Properties.
  3. On the Security tab, click Authentication Methods.
  4. In the Authentication Methods dialog box, click to select the Microsoft Encrypted Authentication Method version 2 (MS-CHAP v2) check box. Click to clear all the other check boxes, and then click OK two times.

Method 2

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To permit LAN Manager authentication with MS-CHAP v1 for operating systems that are earlier than Windows 2000, change the following registry value to 1 on the authenticating server:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Allow LM Authentication

To do this, follow these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type regedit, and then click OK.
  3. Locate and then double-click the following registry key:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Allow LM Authentication

  4. In the Value data box, type 1, and then click OK.

    Note In Windows Server 2003, the default value is 0 (off). By default, Windows 2000 Server supports LAN Manager authentication. When you upgrade a computer that is running Windows 2000 Server to a member of the Windows Server 2003 family, the existing value for the Allow LM Authentication registry key is preserved.

More Information

The following clients support MS-CHAP v2:

  • Microsoft Windows 95 with the Dial-up Networking 1.3 or 1.4 update installed
  • Microsoft Windows 98 with the Dial-up Networking 1.4 update installed
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows Millennium Edition
  • Microsoft Windows NT 4.0 Service Pack 4 or later
  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows Server 2003