Microsoft KB Archive/929857

= You receive error code 741 when you try to make a PPTP-based VPN connection on a computer that is running Windows Vista =

Article ID: 929857

Article Last Modified on 1/23/2007

-

APPLIES TO


 * Windows Vista Ultimate
 * Windows Vista Business
 * Windows Vista Enterprise
 * Windows Vista Home Basic
 * Windows Vista Home Premium

-



Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry



SYMPTOMS
When you try to make a Point-to-Point Tunneling Protocol (PPTP)-based virtual private network (VPN) connection to a VPN server computer, you receive error code 741. This behavior occurs on a computer that is running Windows Vista.

You receive the error code if the VPN server computer is running a version of Windows that is earlier than Windows Vista. For example, you may receive the error code if the server computer is running Microsoft Windows Server 2003 or Microsoft Windows 2000 Server.



CAUSE
This behavior occurs because Windows Vista does not have default support for the 40-bit and for the 56-bit encryption levels under the RC4 algorithm. By default, Windows Vista supports 128-bit encryption.



WORKAROUND
To work around this behavior, you must configure the encryption settings on the server computer and on the client computer as Method 1 describes.

Additionally, you can configure the client computer to support lower encryption levels as Method 2 describes. However, we do not recommend this configuration.

Method 1
Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

Configure the VPN server computer
To configure the encryption settings on the VPN server computer, follow these steps:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
 * 2) Expand   (local), and then click Remote Access Policies.
 * 3) In the right pane, double-click the Connections to Microsoft Routing and Remote Access server policy.
 * 4) Click Edit Profile, and then click the Encryption tab.
 * 5) Click to select the Strongest encryption (MPPE 128 bit) check box, and then click OK two times.
 * 6) In the Services snap-in, restart the Routing and Remote Access service.

Configure the client computer
To configure the encryption settings on the client computer, follow these steps:
 * 1) Click Start, and then click Connect to.
 * 2) Right-click the VPN connection that you want, and then click Properties.
 * 3) Click the Security tab, click Advanced (Custom Settings), and then click Settings.
 * 4) In the Data encryption box, click Maximum strength encryption (disconnect if server declines), and then click OK two times.

Note This configuration establishes the VPN connection by using 128-bit encryption and the RC4 algorithm.

Method 2
Warning This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

Note Use this method if the server computer does not support 128-bit RC4 encryption.

To provide support for the 40-bit encryption levels and for the 56-bit encryption levels on a client computer that is running Windows Vista, you must configure the AllowPPTPWeakCrypto registry entry. To do this, follow these steps:  Click Start, and then type regedit in the Start Search box. In the search results list, right-click regedit, click Run as Administrator, and then click Continue in the User Account Control dialog box. Locate, and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters

 Create the following registry entry under the previous subkey. If this entry already exists, edit it so that it appears as follows:

Name: AllowPPTPWeakCrypto

Value type: DWORD

Value data: 1 Exit Registry Editor. Restart the computer.</li></ol>

Additional query words: cryptography

Keywords: kbconnectionfailures kbexpertiseadvanced kbtshoot KB929857

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.