Routing and Remote Access server stops authenticating dial-up networking clients (227747)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
This article was previously published under Q227747
For a Microsoft Windows XP version of this article, see 314485.

SYMPTOMS

When a Routing and Remote Access Services (RRAS) server joins a Windows Server-based domain, client authentication appears not to work. The RRAS server still authenticates client accounts that are local to the RRAS server, but it does not authenticate domain accounts. You may receive one of the following error messages on the Dial-Up Networking (DUN) client:
  • Error 619, "The port was disconnected."
  • Error 645, "Dial-Up Networking could not complete the connection to the server."
  • Error 930, "The authentication server did not respond to authentication requests in a timely fashion."
Also, the RRAS server may log the following event ID message:
Event id: 20073
Source: RemoteAccess
Description: The following error occurred in the Point to Point Protocol module on port: port number, UserName: user name. The authentication server did not respond to authentication requests in a timely fashion.

CAUSE

This issue occurs because the account you were logged on with at the time you joined the domain did not have administrator privileges on the Windows 2000-based domain. Because of this, services that could easily compromise network security, such as RRAS, deny clients the ability to obtain access to the domain.

Error 930 may also occur if the default path to the Remote Access log file is changed or is invalid.

RESOLUTION

To work around this issue, you must register the RRAS server in Active Directory using an account that has domain administrator permissions. To do so, use either of the following methods:

Add the RRAS Computer to the Appropriate Group

Add the RRAS computer to the appropriate group:
  1. Log on to your computer with an account that has administrator privileges on the Windows 2000 domain.
  2. Launch the Active Directory Users and Computers MMC snap-in, and then double-click the domain name.
  3. Double-click the Users folder, and then double-click the RAS and IAS Servers security group.
  4. Select the members tab.
  5. Add the RRAS server to this group.
NOTE: If the organization has more than one domain in the forest, and users from the different domains are trying to log on to the RRAS server, continue to follow steps 1 through 5 until the RRAS server is in the "RAS and IAS Servers" security group for each respective domain.

Use the Netsh.exe Utility

NOTE: The Netsh.exe methods can only be used if the RRAS server is Windows 2000-based.

Use either of the following methods with the Netsh.exe tool:

Method 1

Log on the RRAS computer using an account that has domain administrator privileges, type netsh ras add registeredserver at a command prompt, and then press ENTER.

Method 2

To run a command with administrator privileges without being logged in as an administrator:
  1. At a command prompt on the RRAS computer, type runas /user:domain name\administrator name "cmd", where domain name is the appropriate domain name, and administrator name is the appropriate administrator name. You are then prompted to enter a password for this account. If this computer is able to connect to the domain controller and verify the credentials, a command prompt opens with the following information in the title bar:

    cmd (running as domain name\administrator name)

  2. At a command prompt, type netsh ras add registeredserver at a command prompt, and then press ENTER.
NOTE: For either of the preceding methods, you receive one of the following messages:

Command Is Successful:
Registration completed successfully:
RAS Server: RAS server name
Domain: domain name
Command Is Not Successful:
Registration FAILED:
RAS Server: RAS server name
Domain: domain name The specified domain either does not exist or could not be contacted.


If you changed the default path to the Remote Access log file, you must give the local System account write permission to the new folder. (The default path is %Systemroot%\System32\LogFiles.) To verify the path of the Routing and Remote Access log folder, follow these steps:
  1. Open the Routing and Remote Access snap-in.
  2. Right-click the Route Access Logging object, and then left-click Properties.
  3. Select the Local File tab.

STATUS

This behavior is by design.

MORE INFORMATION

This behavior is designed to increase security by requiring administrator permissions before a RRAS server may be added to Active Directory. This issue does not occur if you are logged in with an account that has administrator privileges in the Windows domain at the time you install and configure RRAS. In this situation, the RRAS server is automatically registered in Active Directory.
Modification Type:MajorLast Reviewed:7/17/2004
Keywords:kberrmsg kbnetwork kbprb KB227747
©2004 Microsoft Corporation. All rights reserved.