Announcement

Collapse
No announcement yet.

RRAS - NPS Connection Problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • RRAS - NPS Connection Problem

    Hi Everyone,

    I'm having a really strange problem with a RRAS-NPS Server. I'm hoping someone out there can point me in the right direction. We are using RRAS and NPS to connect to a SSTP VPN. We have two separate RRAS servers in two separate AD sites. One of the servers works fine, the other is where we have the problem.
    When we connect from the client side we see the following error
    "The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error."
    The only authentication method we have selected on both client and server side is MSCHAP-V2. Checking the security logs on the RRAS server shows the following:
    The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.
    Now, the RRAS server is in the same IP subnet as the domain controllers so that should rule out any firewall or port problems. The IP settings on the RRAS Ethernet adapter has the primary and secondary DCs set as DNS Servers.
    There are no problems visible on either DC, dcdiag reports no errors and replication is working fine.
    Currently we are having to use Radius to bounce the authentication over to the RRAS server in the seperate site to authenticate. The network policy server is registered in Active Directory, all servers are running Server 2012R2.
    I ran a network monitor trace and I can see when the VPN connection is initiated the DCs respond with EPT_S_NOT_REGISTERED.
    Also, if I logon to the RRAS server first and then initiate a VPN connection using the same account it works.
    This happens sporadically and usually reoccurs after a windows update and reboot cycle. In the past this has been resolved by rebooting the domain controllers, however this hasnt helped this time.
    Any help would be much appreciated.

  • #2
    On the Security Tab of the VPN properties on the client is the VPN type set correctly?
    A recent poll suggests that 6 out of 7 dwarfs are not happy

    Comment


    • #3
      Hi, thanks for the reply. Yes the type is set to SSTP on the client side.

      Comment


      • #4
        Have you seen this article which lists suggestions to help resolve EPT_S_NOT_REGISTERED (endpoint mapping) problems:

        https://support.microsoft.com/en-us/kb/2089874
        A recent poll suggests that 6 out of 7 dwarfs are not happy

        Comment


        • #5
          I did see that, thanks. The thing is there are no active directory replication problems. All of the Nslookup tests i have done also produce the correct IPs of all servers involved.

          Comment


          • #6
            Bleurgh... I wonder what changes when you log onto the RRAS server to allow it to be contacted on the network. Something must be kicking it into life.
            A recent poll suggests that 6 out of 7 dwarfs are not happy

            Comment


            • #7
              Bleurgh indeed, its the most frustrating problem I've ever come across. The thing is I can logon to the RRAS server fine (via console) If it wasnt for the RRAS issue you wouldnt know there was any kind of issue contacting the DC. The other part that makes it strange is we are currently using Radius to bounce the authentication over to another AD site, the thing is the DC in the other site is still a part of the same domain and is replicating with the two 'problem' DCs. I would have thought that if the issue was related to DNS or SRV records that it would affect all DCs in the domain.
              Its almost as though the problem is with impersonation or delegation.
              Really appreciate you taking the time to look at this.

              Comment


              • #8
                Is an account usually logged in on the RRAS server? Would leaving a dedicated locked-down account logged in help until you discover the cause?
                A recent poll suggests that 6 out of 7 dwarfs are not happy

                Comment


                • #9
                  At the moment we have the work around with using Radius to bounce the authentication to the DC in a different site. I'm more concerned that whatever the problem is might have a knock on effect to our other services.

                  Comment


                  • #10
                    The problem turned out to be an incorrect name setting in the 'MACHINE DN NAME' registry string in the
                    'HKLM>System>CurrentControlSet>Services>NTDS>Param eters' section of the registry on one of the domain controllers.
                    Such an odd problem that no one will probably ever have it, but the solution was to correct the DC and Site name in the registry string, restart the DC, after that everything started working properly.


                    Comment


                    • #11
                      Wow - well done for discovering that one! Thanks also for posting back with the solution, it may help someone else.
                      A recent poll suggests that 6 out of 7 dwarfs are not happy

                      Comment


                      • #12
                        No Problem. Its such a specific problem that I doubt many other people will ever see it. But if it helps just one person avoid the months of pain I had it will be worth it.
                        Thanks for your help, I appreciate it.

                        Comment

                        Working...
                        X