Microsoft KB Archive/826157

= &quot;Error 691&quot; error message when you log on to a Windows Server 2003-based computer or a Windows 2000-based computer that is running Routing and Remote Access or Internet Authentication Service =

Article ID: 826157

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Professional Edition

-



Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SYMPTOMS
When you try to log on to a Microsoft Windows Server 2003-based computer or a Microsoft Windows 2000 Server-based computer that is running the Routing and Remote Access service or Internet Authentication Service (IAS), you may receive an error message that is similar to the following:

Error 691 Access denied because username or password, or both, are not valid on the domain.



CAUSE
This behavior occurs when you log on to the Windows Server 2003-based computer or the Windows 2000-based computer from a Microsoft Windows 95, Windows 98, Windows Millennium Edition, or Windows NT 4.0-based client computer.

By default, Routing and Remote Access and Internet Authentication Service on Windows Server 2003 and on Windows 2000 do not support clients that use LAN Manager authentication with Microsoft Challenge Handshake Authentication Protocol version 1(MS-CHAP v1). Windows 2000-based clients and Windows XP-based clients do not use LAN Manager authentication with MS-CHAP v1 and do not experience this problem.



RESOLUTION
To resolve this behavior, use one of the following methods:

Method 1
Change the remote access policy on your server to permit only MS-CHAP v2 authentication. Use this method only if all your dial-up clients or virtual private network (VPN) clients support MS-CHAP v2 authentication. To do this, follow these steps:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
 * 2) Right-click the server name that you want to enable authentication protocols for, and then click Properties.
 * 3) On the Security tab, click Authentication Methods.
 * 4) In the Authentication Methods dialog box, click to select the Microsoft Encrypted Authentication Method version 2 (MS-CHAP v2) check box. Click to clear all the other check boxes, and then click OK two times.

Method 2
To do this, follow these steps:  Click Start, and then click Run. In the Open box, type regedit, and then click OK. Locate and then double-click the following registry key:

 In the Value data box, type 1, and then click OK.

Note In Windows Server 2003, the default value is 0 (off). By default, Windows 2000 Server supports LAN Manager authentication. When you upgrade a computer that is running Windows 2000 Server to a member of the Windows Server 2003 family, the existing value for the  registry key is preserved.



MORE INFORMATION
The following clients support MS-CHAP v2:
 * Microsoft Windows 95 with the Dial-up Networking 1.3 or 1.4 update installed
 * Microsoft Windows 98 with the Dial-up Networking 1.4 update installed
 * Microsoft Windows 98 Second Edition
 * Microsoft Windows Millennium Edition
 * Microsoft Windows NT 4.0 Service Pack 4 or later
 * Microsoft Windows 2000
 * Microsoft Windows XP
 * Microsoft Windows Server 2003

Additional query words: rras

Keywords: kbprb KB826157

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.