LT2P/IPsec RAS VPN connections fail when using MS-CHAPv2
This article resolves the issue that L2TP/IPsec VPN connections to a Windows RAS Server fail when using the MS-CHAPv2 authentication.
Original product version: Windows Server 2012 R2
Original KB number: 2811487
L2TP/IPsec VPN connections to a Windows RAS Server fail when using the MS-CHAPv2 authentication method. Other symptoms include the end user may receive an error message like this one:
error 691 "The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.
Additionally, the domain user's bad password count can increment, resulting in an account lockout.
This issue can occur when the LmCompatibilityLevel settings on the authenticating DC have been modified from the defaults.
For example, when you set this value to 5 (Send NTLMv2 response only. Refuse LM & NTLM), the DC won't accept any requests that use NTLM authentication. When MS-CHAP or MS-CHAPv2 are configured, RAS in Windows Server 2008 R2 will default to NTLM to hash the password. Because the DC only accepts NTLMv2, the request will be denied.
Other tests you can perform to confirm this issue include:
- Test a clear text method such as PAP. As the password is not hashed authentication should succeed
(WARNING: PAP authentication should be used for testing only)
- Test MS-CHAPv2 by using credentials configured locally on the RAS server. Because no request is sent to the DC in this scenario, authentication should succeed.
If you must use MS-CHAPv2, you can enable NTLMv2 authentication by adding this registry entry:
- Select Start > Run, type regedit in the Open box, and then select OK.
- Locate and select the following registry subkey:
- On the Edit menu, point to New, and then select DWORD Value.
- Type Enable NTLMv2 Compatibility, and then press ENTER.
- On the Edit menu, select Modify.
- In the Value data box, type 1, and then select OK.
- Exit Registry Editor.