Frequently Asked Questions

Updated: April 8, 2009

Applies To: Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 Foundation, Windows Server 2008 R2, Windows Server 2012, Windows Vista

The following are some of the most frequently asked questions regarding Connection Manager and the Connection Manager Administration Kit (CMAK). These questions are based on actual calls to Microsoft product support services and might save you time and effort.

Unexpected profile actions

Profile administration

Profile creation and development

Cause: The server running Routing and Remote Access cannot connect to the authentication server.

Solution: Verify connectivity between the server running Routing and Remote Access and the authentication server.

Cause: The authentication server has been improperly specified or configured for dial-up access.

Solution: Verify that the authentication server specified in the connection profile is correct. Check the user account and make sure that dial-up access has been enabled. Look up any Group Policy rules that might restrict access by time or date.

Cause: Settings for one or more dial-up entries have been improperly specified.

Solution: Check the security settings for each dial-up entry, including component connection profiles. The simplest way to do this is to run the CMAK wizard and choose to edit the connection profile. If the profile is for a VPN connection, then change the VPN settings under Create or Modify a VPN Entry, click each entry, and choose Edit. On the Security tab, make sure that all of the security settings are properly specified. If the connection is dial-up, then when you reach Configure Dial-up Networking Entries, click each entry, and choose Edit. On the Security tab, make sure that all of the security settings are properly specified.

Solution: Make sure that the phone book files (.pbk) have the correct settings for each dial-up entry. For each phone book you include in the connection profile, open the .pbk file, and check the Dial-up Networking entry field, which is the eleventh field, in each POP. Make sure that this field is specified appropriately for each POP in each phone book.

See also:  Advanced Customization

Cause: Prefix and suffix information might have been specified differently in one or more of the component profiles merged into the issued connection profile.

Solution: Check the UserNamePrefix and UserNameSuffix keys in every .cms file in the connection profile. A value for this key specified in the component profile will override the top-level connection profile settings.

See also:  Merging Phone Books and Other Features from Existing Connection Profiles; Providing a Realm Name; Advanced Customization

Cause: Certificates are invalid or missing.

Solution: Delays in excess of one minute often indicate a failure in the L2TP/IPSec protocol negotiation. Make sure all connection profile users have the newest certificates installed on their computers.

Cause: A round robin server solution is causing delays in authentication.

Solution: If you are using a round robin server solution for L2TP/IPSec VPN servers, a failure to authenticate on one or more servers can result in variable delays. Depending on the profile settings, Connection Manager might redial each VPN server multiple times. Make sure that each VPN server is configured to accept the profile and that each server is responding.

Cause: The connection profile contains improper post-connect actions.

Solution: Check the [Connect Actions] section in the connection profile's .cms files for proper behavior on target platforms.

See also:  Incorporating Custom Actions

Cause: The routing table update file is attempting to delete a route that does not exist.

Solution: Check the routing table update file for outdated or inaccurate route changes.

See also:  Including Routing Table Updates

Cause: The ISDNDialMode key value is not set to bind dual channels.

Solution: Use advanced customization techniques to change the value of the ISDNDialMode key to the appropriate value and reissue the profile.

See also:  Advanced Customization; Connection Manager Keys

Cause: The settings in component connection profiles conflict.

Solution: Check phone book filtering. Your region settings might not be the same in all phone book region (.pbr) files. If you are using custom service types in any or all phone books, you need to apply these to each .cms file.

Solution: Check the realm name information in each .cms file included in the merged connection profile. Any realm information in a component profile will be overridden by realm information specified in the .cms file of the top-level profile. You should leave the realm name field in the top-level connection profile blank if you need to merge profiles with different realm information.

Solution: Check the tunnel addressing information. Tunnel addressing information specified for the top-level connection profile is used for all phone books merged into it.

Solution: Check the settings for the DUN and TUNNELDUN keys in all the .cms files included in the merged connection profile. The default dial-up settings originate in the .cms file associated with the user-selected phone book, while VPN settings originate from the top-level .cms file.

See also:  Advanced Customization; Providing a Realm Name; Implementing VPN Support; Merging Phone Books and Other Features from Existing Connection Profiles

Cause: Internet Explorer is improperly configured for your service.

Solution: Assist your users in changing their Internet Explorer options. In Internet Explorer, click the Tools menu. Click Internet Options, click the Connections tab, and choose the appropriate dial-up option. Your profile might work best if a connection is never dialed (the default option), or if a connection is dialed only when an Internet-based program is started and a network connection is not present.

Cause: Custom actions requiring Internet access continue to run after the connection has been terminated.

Solution: Test the connection profile to make sure that all custom actions terminate properly. If necessary, reissue the connection profile after you add a disconnect action that ensures that programs terminate properly.

See also:  Incorporating Custom Actions

Cause: The installation of the Connection Manager 1.4 software did not complete correctly. Mismatched Connection Manager software binaries are causing the connection software to fail.

Solution: Instruct the user to uninstall the Connection Manager software and then to reinstall the profile. To uninstall Connection Manager, click Start, point to Settings, click Control Panel, double-click Add or Remove Programs, click Microsoft Connection Manager, and click Remove. This process restores the Windows 2000 Connection Manager binaries on the user’s computer. The user should then reinstall the Connection Manager connection profile that includes the updated Connection Manager 1.4 software.

See also:  Troubleshooting Process; Adding Connection Manager 1.4 to the Connection Profile

Cause: Custom actions have not been enabled to run when users log on to Windows with your connection profile.

Solution: Check whether you need to change user registry settings in order to run custom actions when users log on to Windows with your profile. Consider issuing a profile without custom actions for use in logging on to Windows.

See also:  Incorporating Connection Manager with Logon Security

Cause: Connection Manager treats "Log on using dial-up connection" as a separate user with limited permissions. Settings applied to "Log on using dial-up connection," such as proxy configuration, are not applied to individual user accounts after logging on.

Solution: Consider advising your users to log on to their local computers before using a Connection Manager profile to log on to your domain.

See also:  Incorporating Connection Manager with Logon Security

Cause: Improperly set Internet proxy settings is preventing phone book downloads.

Solution: Check the proxy settings for the connection profile. If you are using automatic proxy configuration in your connection profile, check those settings and the proxy server.

See also:  Using Automatic Proxy Configuration

Cause: One or more Phone Book Service (PBS) servers is out of service.

Solution: Check the log files on your PBS servers for error messages.

Cause: A URL in the connection profile points to a server that cannot be found.

Solution: Check the URLs specified in the connection profile. You can do this by editing the profile in the CMAK wizard or by checking the settings directly in the [ISP] section of the .cms file. If the profile in question was created by merging other connection profiles, check the URLs in all the .cms files used by the profile.

See also:  Advanced Customization; Providing Phone Book Support; Merging Phone Books and Other Features from Existing Connection Profiles

Cause: Updated profiles cannot overwrite user settings.

Solution: Populate the credentials in the .cmp file of the connection profile when you create it. Run the CMAK wizard again. Issue the new connection profile to your users. Include a custom uninstallation and reinstallation package or instructions on how to uninstall the old connection profile and install the new version.

Solution: Write a custom pre-tunnel action that adjusts the VPN address in the .cms file as needed. This feature might not be available in future releases. Consider the security implications of dynamically changing a VPN address before you implement this solution.

See also:  Incorporating Custom Actions

Solution: To create a VPN-only profile, start the CMAK wizard. Select the Phone book from this profile check box on the VPN Support pane, and specify a VPN server or a VPN file. Configure the VPN entry or entries with the correct security and addressing information for your network. Do not specify a phone book file on the Phone Book pane, and clear the Automatically download phone book updates check box. You do not need to configure the default dial-up entry for the profile. On the last pane of the wizard, select the Advanced Customization check box. On the Advanced Customization pane, click the profile .cms file, click the [Connection Manager] section, and set the value of the Dialup key to zero. Click Apply, and finish the wizard. This will create a VPN-only profile, without a General tab in the Properties dialog box for the profile. Users of your profile will not see any phone or dialing information.

See also:  Implementing VPN Support; Incorporating VPN Entries

Solution: Dial-up entry names identify combinations of networking settings. You can specify different networking settings for each dial-up entry. You usually name dial-up entries on the Settings tab of the Add POP pane of Phone Book Administrator. Those names appear on the Dial-up Networking Entries page of the CMAK wizard. Connection Manager uses a dial-up entry to determine which combination of networking settings are required for a connection profile.

See also:  Incorporating Custom Dial-Up Entries

Solution: Create two phone books, one for a direct dial connection and the other for a VPN tunnel to your network. Create a profile with your direct dial phone book. Create a top-level profile that merges the direct dial profile and incorporates the VPN phone book. On the VPN Support page, select the Phone book from this profile check box.

See also:  Merging Phone Books and Other Features from Existing Connection Profiles; Implementing VPN Support

Solution: Use advanced customization techniques to assign values to the keys for which you want to provide first-time use data, such as Username. These keys must be assigned in the .cmp file, and they will only be available the first time the profile is used. For passwords, you must edit three keys: PCS, RememberPassword, and Password. The PCS key should always be set to 0; the values of the other keys will vary according to your profile needs. If you want this password to be available to all users who connect from the same computer, you must edit an additional key, KeepDefaultCredentials. If this key is not set to the appropriate value, only the person who installs this profile will have access to the credentials you provide for first-time use. Consider the security implications of providing a password for the first user who installs and uses the profile.

See also:  Advanced Customization

Solution: You can use the Multi-User Language Interface (MUI) with the CMAK wizard to build a Connection Manager profile in a language other than the one installed with your operating system. You can include the Connection Manager software with that profile, but Connection Manager will appear in the language installed with your operating system, not in the MUI language. You can choose not to include the Connection Manager software with the profile, but your users might not have access to all the current features of Connection Manager.

To include a version of Connection Manager in the same language as the profile, you must build the profile using the CMAK wizard on an operating system that was installed with the appropriate language. The CMAK wizard comes with Windows Server 2008 R2, Windows Server 2008, and Windows Server 2003. You can also install the CMAK wizard on Windows XP Professional, Windows Vista, with the appropriate Windows Server Administration Tools Pack, or on Windows 7 (32-bit only) by installing CMAK as an optional Windows Feature.

See also:  Creating Profiles in Multiple Languages

Community Additions