• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

ISA 2006 client access VPN with Windows 2008 domain

IndyColtsFan

IndyColtsFan

Lifer
Ok guys, help me out here. It has been forever since I configured an ISA PPTP server but I thought I remembered everything. Something isn't quite right though, because no matter what I try, I get an Error 691 when trying to connect. The details:

DOMAIN CONTROLLER -- TEST domain
Windows 2008 w/ SP2 -- I turned the firewall off
IP: 10.2.1.5 / 24
Runs DNS and DHCP as well

ISA SERVER
Windows 2003 w/ SP2
ISA 2006 w/ SP1
Internal NIC: 10.2.1.201 /24
External NIC: 10.1.1.8 /24 Gateway is 10.1.1.201 on external NIC
*Internal NIC has 10.2.1.5 as a DNS server

ISA server is configured to enable PPTP for the domain users group in the TEST domain. ISA will hand out IPs from the internal DHCP server.

When I connect, I get an Error 691 which says user name and password combination aren't correct (they are) or that the selected authentication protocol is not permitted on the remote access server (MS-CHAP v2 is selected on both). I have enabled remote access for the accounts I am testing with in the Dial-In permissions tab on User Manager. There is also an IAS 5052 event in the ISA logs and that seems to indicate that the domain controller can't be found, BUT if you look at the domain controller logs you can see the authentication request.

I don't know what the issue could be. I've tried from a couple of different clients and get the same error. I am wondering if it is something about Windows 2008 that I don't know to do. I am bringing up another test Windows 2003 box and I plan on making it a DC and using that as a last resort.

Any ideas? As I mentioned, I don't remember this being very difficult to configure and I've set up far more complex VPN client access topologies with ISA in the past. I am hoping I am just forgetting a step since it has been so many years.

Thanks!
 
As you note, in a Server 2003 environment, setting up an ISA-managed PPTP VPN is usually a piece of cake. A quick search reveals several major articles on 691 VPN errors with ISA Server and the problem may well be related to the Server 2008 involvement.
 
RebateMonger said:
As you note, in a Server 2003 environment, setting up an ISA-managed PPTP VPN is usually a piece of cake. A quick search reveals several major articles on 691 VPN errors with ISA Server and the problem may well be related to the Server 2008 involvement.
Click to expand...

That is my guess as well, and I have a feeling that once I get this new test Windows 2003 domain controller up, it will be a piece of cake. I'm not familiar with all of the new Remote Access features of Windows 2008 and I have a suspicion there are a few policy changes I might need to make to get it working. I just started building it last night and didn't have time to do much research, unfortunately, so I was hoping it was just something obvious that I overlooked.

I suppose I could enable the new IAS equivalent on Windows 2008, enable RADIUS, drop the ISA server from the domain, and then authenticate that way. But really, the OS of the domain controller isn't that big of a deal so if I can get this working with the Windows 2003 domain controller, I'll probably just move the member servers over to the new domain and call it a day. This is just a test lab environment.

Thanks for your help guys.
 
Well, FWIW, I brought up a new Windows 2003 domain controller, flipped the ISA server into that domain, and the VPN fired right up and connected with zero issues. Interesting. I guess I need to review some Win 2008 remote access information.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top