RRAS does not authenticate Users

Created 2001-04-09 by Rainer Gerhards.

Question:

My RRAS server has joined a Windows 2000 domain and now no longer authenticates users. As long as I uses local accounts to connect to RRAS, all works well. But I can not use domain accounts to connect to RRAS. If I do, I receive some of these errors:

 Event id: 20073

 Source: Router

 Description: The following error occurred in the Point to Point
 Protocol module on port: port number, UserName: user
 name. The authentication server did not respond to
 authentication requests in a timely fashion.

The RAS client receives these error codes:

• Error 619, "The port was disconnected."
• Error 645, "Dial-Up Networking could not complete the connection to the server."

Answer:

This behaviour is by design. It occurs because the account you were logged on with at the time you joined the domain did not have administrator privileges on the Windows 2000 domain. Because of this, services that could easily compromise network security, such as RRAS, deny clients the ability to obtain access to the domain. To fix it, add the RRAS computer to the appropriate group:

• Log on your Windows 2000-based computer with an account that has administrator privileges on the Windows 2000 domain.
• Launch the Active Directory Users and Computers MMC snap-in, and then double-click your domain name.
• Double-click the Users folder, and then double-click the RAS and IAS Servers security group.
• Select the members tab.
• Add the RRAS server to this group.

Alternative methods are available in a Microsoft Knowledge Base article on this issue.