Cannot connect to a VPN server - authentication failed with error code 691
Solution 1
Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
I think that's your problem right there. Verify that the account has the correct permissions to connect remotely via RRAS. These links might help you. Note that articles that apply to 2003 may still apply to 2008r2 (according to MSFT). Also note that I make no claim to being a subject matter expert....
http://technet.microsoft.com/en-us/library/cc754634(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc775658(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc759294(WS.10).aspx
http://technet.microsoft.com/en-us/library/dd637783(WS.10).aspx
Solution 2
I had this problem so I'll go ahead and tell you what it was for me. My password (given to us by our host had a $
in it). I was copy-pasting the password from an rdp shell script that had escaped the $
with a \
. I was mentally forgetting the reason for \
and thinking it was literal. I spent hours working on authentication when in reality, I need only remove the back-slash escaping of the dollar sign.
Not sure if that's your problem -- but good luck.
Solution 3
I solved this my changing the Dial-In properties of the user. By default it was set to managed by NPS server. Click allow access solved my issue.
Related videos on Youtube
stacker
ASP.NET MVC Developer. Software Architect. And little bit a sysadmin. I'm looking for a System Administrator that know Windows Server 2008 R2 perfectly, and like to use the most current technology in the day to day work. Please Contact me at stacker25 at period.gmail.com (without the period).
Updated on September 17, 2022Comments
-
stacker over 1 year
When trying to connect to a VPN server, I get the 691 error code on the client, which say:
Error Description: 691: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.
I validated that the username and password are correct. I also installed a certification to use with the
IKEv2
security type. I also validated that the VPN server support security method.But I cannot login. In the server log I get this log:
Network Policy Server denied access to a user.
The user DomainName\UserName connected from IP address but failed an authentication attempt due to the following reason: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.
Any idea of what can I do? Thanks in advance!
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 12/29/2010 7:12:20 AM Event ID: 6273 Task Category: Network Policy Server Level: Information Keywords: Audit Failure User: N/A Computer: VPN.domain.com Description: Network Policy Server denied access to a user. Contact the Network Policy Server administrator for more information. User: Security ID: domain\Administrator Account Name: domain\Administrator Account Domain: domani Fully Qualified Account Name: domain.com/Users/Administrator Client Machine: Security ID: NULL SID Account Name: - Fully Qualified Account Name: - OS-Version: - Called Station Identifier: 192.168.147.171 Calling Station Identifier: 192.168.147.191 NAS: NAS IPv4 Address: - NAS IPv6 Address: - NAS Identifier: VPN NAS Port-Type: Virtual NAS Port: 0 RADIUS Client: Client Friendly Name: VPN Client IP Address: - Authentication Details: Connection Request Policy Name: Microsoft Routing and Remote Access Service Policy Network Policy Name: All Authentication Provider: Windows Authentication Server: VPN.domain.home Authentication Type: EAP EAP Type: Microsoft: Secured password (EAP-MSCHAP v2) Account Session Identifier: 313933 Logging Results: Accounting information was written to the local log file. Reason Code: 16 Reason: Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
-
stacker over 13 yearsAdministrator account should have remote access permissions. But thanks for you answer, I'll take a look in the links.
-
Holocryptic over 13 years@stacker, you're right in that the admin account should have access, but I've had issues where I had to grant the administrator account explicit permissions to get regular RDP to work. It might be something to look into.
-
stacker over 13 yearsright. I looked into it, and it has the permission. Both in the user setting on the Dial-In tab it has "allow access", and also in NPS network policy. I took it further in the network policy, and checked "accept users without validating credentials" but I got the same error. Errr... what should I look into next?
-
Holocryptic over 13 years@stacker, I don't have anything off the top of my head, but I'll take some time later tonight to do some looking around. Can't promise anything though...
-
Henno almost 6 yearsThis helped me, too.
-
JoeCool almost 4 yearsOh yeah, Stacker is asking before being sure that user-password were correct. That was the problem. I can't understand why he didn't mark your answer as correct. (Just being ironic BTW).