I'd like to provide some update on the situation: we recently upgraded the DC/RRAS server to Windows 2003 successfully. The persistent VPN connection across the sites works as per normal. But as usual, personal VPN connections as a user of the forest root domain will fail, now with a new error code
Error 691 : Access was denied because the username and/or password was invalid on the domain. Is it not possible for an RRAS server to authenticate users from another domain? I can sure RDC to it with no problems, just not VPN. This makes me suspect the two technologies use different authentication mechanisms/logic. Aaron -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Seet Sent: Friday, 18 March 2005 18:16 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Failing to VPN to child tree site as forest enterprise admin I have a rather perculiar setup: First site: forest domain VC, with a win2000 DC acting as RRAS with PPTP VPN. Second site: child domain ASP, with a win2000 DC acting as RRAS, connecting the two sites with a persistent route. The persistent VPN tunnel works fine, and on the ASP DC, i can login as VC\Aaron.seet and authenticate just fine being a domain admin and enterprise admin. I can also VPN from home direct to the first site. However, when it comes to the second site, when I try to authenticate with the account i get hit by "Error 930: The authentication server did not respond to authentication requests in a timely fashion." Further inspection of the event log in the DC/RRAS shows the same thing ------------------------------------------------------------ Event Type: Error Event Source: RemoteAccess Event Category: None Event ID: 20073 Date: 18/03/2005 Time: 5:48:33 PM User: N/A Computer: SHINOBU Description: The following error occurred in the Point to Point Protocol module on port: VPN3-3, UserName: VC\Aaron.seet. The authentication server did not respond to authentication requests in a timely fashion. Data: 0000: 000003a2 ------------------------------------------------------------ What are the possible causes to this problem? The remote access policy is already in place to allow "ASP\VPN Users" (which includes me). Adding "VC\domain admins" into the policy does not help. If there is some problem trying to across the persistent VPN tunnel to obtain my credentials, then I guess i oughta expect a similar problem if I logon the machine physically, but I don't. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
