Why can't AD users in a trusted domain authenticate to PPTP VPN?

By jcmccain ·
Here's a situation I've been trying to resolve for some weeks now:

I have two Active Directory domains with a two-way trust between them. I'll call them Domain A and Domain B. I'd like users in Domain B to use an Exchange mailbox hosted in Domain A and I've configured that successfully. However, the users from Domain B cannot authenticate when they attach to the PPTP VPN server hosted in Domain A. When they try, they receive an Error 930.

I have tried:
?adding the Domain Controllers from Domain B to the RAS and IAS groups in Domain A
?adding the PPTP server to the RAS and IAS server groups in Domain B
?adding Anonymous and Everyone to Domain B's Pre-Windows 2000 compatible group

The servers involved are:
Domain A:
Windows 2000 Functional level

Server A: Windows 2000 SP4 Domain Controller and RRAS server
(accepts PPTP connections)
Server B: Windows 2000 SP4 Domain Controller
not Server C: Windows 2003 Domain Controller

Domain B:
indows 2000 Functional level
All DCs are Windows 2003

Any help is appreciated!


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by CG IT In reply to Why can't AD users in a t ...

you need to look at your RRAS rules. RRAS rules govern how and who can and can not authenticate thus gain access. A trust relationship isn't a factor for RRAS rules depending upon what rules you have created in RRAS and how users authenticate.

Collapse -

Where can I find the rules?

by jcmccain In reply to RRAS

Thanks for the quick response!

I'm not sure what rules you are referring to. Do you mean the Remote Access Policies? The RRAS server is a stock setup, so the only policy is "allow access if dial-in permission is enabled." That is set to 1 and the users in question have dial-in enabled.


Collapse -

so they dial up to contact the RRAS server?

by CG IT In reply to Where can I find the rule ...

If you only have a policy for dial up, then the other methods of connecting will be denied.

note: I use "rules" to mean "policies". The RRAS policies are rules in the "if this, then that" statements to determine granting access. example: if you did not create a policy for allowing PPTP connections, the If this connection, PPTP, then deny which is the default. The default policy is to deny for security measures.

Collapse -

Users from Domain A successfully connect to the VPN

by jcmccain In reply to so they dial up to conta ...

Ok, I just wanted to confirm that we were talking about the same thing and I wasn't missing something.

One piece of additional information I should have mentioned initially: users from Domain A successfully connect to the VPN with this method. Users are connecting over the internet (not dialing in over a phone line).

The way the policy works, it looks at the users' dial-in setting to determine whether or not to allow the VPN connection. Its not specific to the protocol being used.

Collapse -

refer to Microsoft Technet article Introduction to Remote Access Policies

by CG IT In reply to Users from Domain A succe ...

This should explain how policies determine who can access remotely and why a trusted domain doesn't automatically allow remote access.

Collapse -

Additional Info

by jcmccain In reply to Why can't AD users in a t ...

Domain A users connect successfully. When the Domain B users fail to connect, the PPTP server application log shows a RemoteAccess 20073 error message:
The following error occurred in the Point to Point Protocol module on port: VPN2-16, UserName: DomainB\username. The authentication server did not respond to authentication requests in a timely fashion.

Collapse -

sounds like

by CG IT In reply to Additional Info

domain B isn't a trusted domain, of domain A

Collapse -

Except, it is.

by jcmccain In reply to sounds like

Users can authenticate in either direction inside the domain for a variety of purposes, like, as stated in my initial post, accessing their email.

Collapse -

so domain B users have remote access permission?

by CG IT In reply to Except, it is.

Related Discussions

Related Forums