Troubleshooting IAS Installation

The most common problems with IAS installation and their solutions are outlined here. In all cases, a valid user cannot log on and a Windows 2000 Event Viewer error message appears.

The error messages appear in bold type, and the possible solutions are described in the following paragraphs.

"Unknown user name or bad password."

"The specified user does not exist."

"The specified domain does not exist."

The user might have entered the wrong user name or password. Check the user's Windows 2000 user name and account password to make sure they are typed correctly and that the account is valid for the domain IAS is authenticating the user against.

Realm replacement might be set up incorrectly, or in the wrong order, so that the domain controller cannot recognize the user name. Adjust the realm replacement rules. For more information about realm names or configuring realm replacement, see your Windows 2000 Server information.

If the remote access server is a member of domain and the user response does not contain a domain name, the domain name of the remote access server is used. To use a domain name that is different from that of the IAS server, on the computer that is running IAS, set the following registry value to the name of the domain that you want to use:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan \PPP\ControlProtocols\BuiltIn\DefaultDomain

Caution

Do not use a registry editor to edit the registry directly unless you have no alternative. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows 2000. To configure or customize Windows 2000, use the programs in Control Panel or Microsoft Management Console (MMC) whenever possible.

Some NASs automatically strip the domain name from the user name before forwarding the user name to a RADIUS server. Turn off the feature that strips the domain name from the user name. For more information, see your NAS documentation.

"The authentication type is not supported on this system."

The user is trying to authenticate by using an authentication method that is not supported on this computer. For example, the user might be using an EAP type that has not been installed. Modify the dial-in profile to allow the protocol in question.

If a remote access policy denies access to the user, the following error messages might appear:

"The user's information did not match a remote access policy."

"The user is not allowed dial-in access to the network."

"User attempted an unauthorized authentication method."

"User tried to connect from an unauthorized calling station."

"User tried to dial-in outside of permitted hours."

"User tried to connect by calling an unauthorized NAS phone number."

"User tried to connect using an invalid port type."

"A constraint defined in the remote access policy failed."

A remote access policy might be denying access to the user. Check the policy list to make sure that you have not excluded users who must be granted access. Check the event log to see if the user is trying to connect with parameters not permitted by a remote access policy (for example, during an unauthorized time period, using an unauthorized wrong port type, calling from an unauthorized wrong phone number, or calling an unauthorized NAS phone number). You might have to revise the remote access policies accordingly to grant the user access.

Remote access policies might be in the wrong order. Authorization is granted or denied by the first policy whose conditions match the connection attempt. Use the Move Up button to move the policy that grants access to the users who are having trouble so that it is higher in the list.

"The user has exceeded the dial-in lockout count."

If remote access account lockout is enabled, previous failed access attempts might have caused the user account to be locked out. If so, increase the dial-in lockout count.

"The user's account is currently locked out and might not be logged on to."

The user's account is locked out and cannot be validated.

"The user is not allowed dial-in access to the network."

The user might be denied dial-in access. Check the user's information about the domain controller (or in Local Users and Groups) to see that dial-in access is granted for the user. If dial-in access is denied, this overrides any remote access policy that grants access.

"The current configuration supports only local user accounts."

IAS is set up to authenticate against the local SAM, and the user is not a member of the local user database. In this case, add the IAS server to Active Directory.

"The user's account domain is unreachable."

"The server is unavailable."

"The specified domain did not exist."

"IAS could not access the Global Catalog."

There might be a communication problem between the NAS and IAS, or between IAS and the domain controller or Global Catalog server. Use the ping command to check the communication with the domain controller or Global Catalog server. If ping works, try to connect to the server by using the command net use \\servername\share . If no packet information appears in the IAS log, check the Windows 2000 event log to see whether the attempt times out.

The user might be using CHAP, but Active Directory might not be configured to use plaintext passwords. To use CHAP authentication with IAS, configure the dial-in profile for a user or group to use CHAP. The NAS and the user's dialing program (such as Connection Manager) must also be configured to use CHAP authentication. You also need to enable CHAP on the domain controller.

Certain NASs do not recognize all the characters that IAS accepts for the shared secret. Try to change the shared secret to one with only alphanumeric characters.

The NAS might be sending packets that do not correspond to the format expected by IAS.

Right-click Internet Authentication Service and then click Properties . Make sure Log rejected or discarded authentication requests is selected, and then display the command to see if unexpected or malformed packets are being sent. If this is the case, you might need to set some vendor-specific attributes in IAS to solve communication problems with your NAS.

IAS cannot connect to the domain. Make sure IAS is authenticating against the correct domain name. If the domain name is correct, make sure that the IAS server is a member of that domain, or that there is a trust relationship between that domain and the domain to which the IAS server belongs.

IAS does not have permission to view user objects in Active Directory. Add the IAS server to Active Directory.

The user account is in an Active Directory forest that is different from the forest of which the IAS server is a member. Use a RADIUS proxy to route the authentication request to an IAS server that is a member of the other Active Directory forest.

The user is trying to use 128-bit encryption enabled, IAS has it enabled in a remote access policy, but Routing and Remote Access does not. Enable the Strongest security setting on the Routing and Remote Access server. (If you have not enabled it on this server before, you might need to install the Microsoft Encryption Pack.)

Your NAS might require framed routing; but on IAS, framed routing is not set by default. Enable framed routing.

To enable framed routing

1. In IAS, click Remote Access Policies , and then double-click the policy that applies to the users who cannot log on.

2. Click Edit Profile , click the Advanced tab, and then click Add .

3. In the list of available RADIUS attributes, double-click Framed-Routing .

4. In Attribute value , click None .

Your NAS might require Van Jacobsen TCP/IP compression. Configure IAS to work with Van Jacobsen TCP/IP compression.

To configure IAS to work with Van Jacobsen TCP/IP header compression

1. In IAS, click Remote Access Policies , and then double-click the policy that applies to the users who cannot log on.

2. Click Edit Profile , click the Advanced tab, and then click Add .

3. In the list of available RADIUS attributes, double-click Framed-Compression .

4. In Attribute value , click Van Jacobsen TCP/IP header compression .

If framed MTU is set on the NAS and not on IAS, users are not able to log on. Check your framed MTU settings on IAS, and make sure that they match the settings on your NAS.

To change framed MTU settings

1. In IAS, click Remote Access Policies , and then double-click the policy that applies to the users who cannot log on.

2. Click Edit Profile , click the Advanced tab, and then click Add .

3. In the list of available RADIUS attributes, double-click Framed-MTU .

4. Click Attribute value , and then type the value that matches the settings for your NAS.

If IAS is returning the Access-Accept packet by using a different network adapter than the one by which the Access-Request packet was received, the NAS does not recognize the packet. In this event, check your IAS settings.

If the request is returned through a RADIUS proxy, the proxy might not support certain extensions that are necessary to support some features. For example:

• If you want your users to use EAP authentication, the RADIUS proxy must support digital signatures (according to RADIUS extensions).

• If you want your users to connect using compulsory tunnels, the RADIUS proxy must support encryption of the tunnel password.

• If you want connections to use Microsoft Encryption, the RADIUS proxy must support encryption of MPPE keys.

See your RADIUS proxy documentation to make sure that it supports the extensions necessary for the features that you want to use.

A remote access policy might be granting access to the user. Check the policy list to make sure that you have not included users who must be denied access.

Dial-in properties for the user object might be set to override the remote access policy. Check the dial-in properties for the user object.

Remote access policies might be in the wrong order. Authorization is granted or denied by the first policy whose conditions apply to the user who is trying to connect. Use the Move Up button to move the policy that denies access to the users so that it is higher in the list.

IAS is not set up to log rejected or discarded authentication requests. Set up IAS to log rejected or discarded authentication requests in the and see if any malformed packets are being logged. The NAS might require a different shared secret for RADIUS accounting. Make sure the shared secret for accounting is the same as the one used for authentication.

The dial-in profile for the remote access policy might not be set up to permit CHAP encryption. Check dial-in profile settings to be sure that IAS is set up for CHAP authentication. Check to see whether your NAS is set up for CHAP. For more information, see your NAS documentation. Also check to make sure the domain controller is configured to store reversibly encrypted passwords.

Passwords are not stored in a reversibly encrypted form until they are reset. Perform the following:

• After you enable passwords to be stored in a reversibly encrypted form, the current passwords are not in a reversibly encrypted form and are not automatically changed. You must either reset user passwords or set user passwords to be changed the next time each user logs on.

• After you switch a domain controller from mixed mode to native mode, every domain controller in the domain must be restarted so that the change replicates.

• Restart the domain controllers so that the servers can regain access to the domain controller.
  When a Routing and Remote Access server is set to use RADIUS authentication, Remote Access Policies are accessible only from Internet Authentication Service. This is intentional behavior.

For more information on troubleshooting IAS, see Windows 2000 Server Help.