Microsoft KB Archive/227747

= Routing and Remote Access server stops authenticating dial-up networking clients =

Article ID: 227747

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows Small Business Server 2003 Premium Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition

-



This article was previously published under Q227747



For a Microsoft Windows XP version of this article, see 314485.



SYMPTOMS
When a Routing and Remote Access Services (RRAS) server joins a Windows Server-based domain, client authentication appears not to work. The RRAS server still authenticates client accounts that are local to the RRAS server, but it does not authenticate domain accounts. You may receive one of the following error messages on the Dial-Up Networking (DUN) client:  

Error 619, "The port was disconnected."

 

Error 645, "Dial-Up Networking could not complete the connection to the server."

 

Error 930, "The authentication server did not respond to authentication requests in a timely fashion."



Also, the RRAS server may log the following event ID message:

Event id: 20073

Source: RemoteAccess

Description: The following error occurred in the Point to Point Protocol module on port:, UserName:. The authentication server did not respond to authentication requests in a timely fashion.



CAUSE
This issue occurs because the account you were logged on with at the time you joined the domain did not have administrator privileges on the Windows 2000-based domain. Because of this, services that could easily compromise network security, such as RRAS, deny clients the ability to obtain access to the domain.

Error 930 may also occur if the default path to the Remote Access log file is changed or is invalid.



RESOLUTION
To work around this issue, you must register the RRAS server in Active Directory using an account that has domain administrator permissions. To do so, use either of the following methods:

Add the RRAS Computer to the Appropriate Group
Add the RRAS computer to the appropriate group:
 * 1) Log on to your computer with an account that has administrator privileges on the Windows 2000 domain.
 * 2) Launch the Active Directory Users and Computers MMC snap-in, and then double-click the domain name.
 * 3) Double-click the Users folder, and then double-click the RAS and IAS Servers security group.
 * 4) Select the members tab.
 * 5) Add the RRAS server to this group.

NOTE: If the organization has more than one domain in the forest, and users from the different domains are trying to log on to the RRAS server, continue to follow steps 1 through 5 until the RRAS server is in the "RAS and IAS Servers" security group for each respective domain.

Use the Netsh.exe Utility
NOTE: The Netsh.exe methods can only be used if the RRAS server is Windows 2000-based.

Use either of the following methods with the Netsh.exe tool:

Method 1
Log on the RRAS computer using an account that has domain administrator privileges, type netsh ras add registeredserver at a command prompt, and then press ENTER.

Method 2
To run a command with administrator privileges without being logged in as an administrator:  At a command prompt on the RRAS computer, type runas /user: \ "cmd", where   is the appropriate domain name, and   is the appropriate administrator name. You are then prompted to enter a password for this account. If this computer is able to connect to the domain controller and verify the credentials, a command prompt opens with the following information in the title bar:

cmd (running as \ )

 At a command prompt, type netsh ras add registeredserver at a command prompt, and then press ENTER.</li></ol>

NOTE: For either of the preceding methods, you receive one of the following messages:

Command Is Successful:

Registration completed successfully:

RAS Server:

Domain:

Command Is Not Successful:

Registration FAILED:

RAS Server:

Domain:  The specified domain either does not exist or could not be contacted.

If you changed the default path to the Remote Access log file, you must give the local System account write permission to the new folder. (The default path is %Systemroot%\System32\LogFiles.) To verify the path of the Routing and Remote Access log folder, follow these steps:
 * 1) Open the Routing and Remote Access snap-in.
 * 2) Right-click the Route Access Logging object, and then left-click Properties.
 * 3) Select the Local File tab.

<div class="status_section">

STATUS
This behavior is by design.

<div class="moreinformation_section">

MORE INFORMATION
This behavior is designed to increase security by requiring administrator permissions before a RRAS server may be added to Active Directory. This issue does not occur if you are logged in with an account that has administrator privileges in the Windows domain at the time you install and configure RRAS. In this situation, the RRAS server is automatically registered in Active Directory.

Additional query words: pptp vpn

Keywords: kberrmsg kbnetwork kbprb KB227747

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.