Microsoft KB Archive/938224

= Error message when you try to connect a Windows XP-based computer to a network by using a virtual private network (VPN) connection: &quot;Access denied because username and&or password is invalid on the domain&quot; =

Article ID: 938224

Article Last Modified on 6/19/2007

-

APPLIES TO


 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional

-



SYMPTOMS
When you try to connect a Windows XP-based computer to a network by using a virtual private network (VPN) connection, you may receive the following error message:

Access denied because username and&or password is invalid on the domain

This problem occurs if one of the following conditions is true:
 * 1) The password to access the network has expired.
 * 2) The administrator has enabled the User must change password at next logon option for the user account.



CAUSE
This problem occurs because a third-party Remote Access Service (RAS) device modifies the error message incorrectly. Therefore, you receive the error message instead of a warning message.

Note The warning message informs a VPN client that the network password has expired.



Information from the Internet Authentication Service (IAS) server
When this problem occurs, the IAS server sends an Access-Reject packet to the RAS device. In the Access-Reject packet, the error code is 648. This error code represents the ERROR_PASSWD_EXPIRED error. Additionally, the Lassam.log file of the IAS server contains the following information: The user's password must be changed before logging on the first time.

Client RASCHAP log
The following is an example of the client RASCHAP log: [508] 03-02 11:04:20:283: Message received...

04 01 00 0D 45 3D 36 39 31 20 52 3D 30 00 00 00 |....E=691 R=0...|

[508] 03-02 11:04:20:283: GetInfoFromFailure...

[508] 03-02 11:04:20:283: GetInfoFromFailure done,e=691,r=0,v=2

[508] 03-02 11:04:20:283: Done The error code in the RASCHAP log is 691. Additionally, the network trace indicates that the error code is 691. The following is an example of the network trace:

PPP Ch failure, Message: E=691 R=0> 691

The 691 error code represents the following error message:

Access denied because username and&or password is invalid on the domain.

A third-party RAS device may cause this problem if the third-party RAS device incorrectly converts the 648 error code to the 691 error code.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbtshoot kbexpertiseadvanced kbprb KB938224

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.