Appendix E - IAS Events in the Windows 2000 System Event Log

When event logging is enabled from the Service tab in the properties of an IAS server, the events listed in Table 7 can be used to troubleshoot problems with your IAS or NAS configuration.

Table 7 - IAS Events in the Windows 2000 System Event Log

Event log message


“Unknown user name or bad password.”

“The specified user does not exist.”

“The specified domain does not exist.”

The user might have typed the wrong user name or password. Check the user’s Windows 2000 user name and account password to make sure they are typed correctly and that the account is valid for the domain IAS is authenticating the user against.

Realm replacement might be set up incorrectly, or in the wrong order, so that the domain controller cannot recognize the user name. Adjust the realm replacement rules. For more information about realm names or configuring realm replacement, see Windows 2000 Server Help.

If the remote access server is a member of a domain and the user response does not contain a domain name, the domain name of the remote access server is used. To use a domain name that is different from that of the IAS server, on the computer that is running IAS, set the following registry value to the name of the domain that you want to use:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan \PPP\ControlProtocols\BuiltIn\DefaultDomain

Some NASs automatically strip the domain name from the user name before forwarding the user name to a RADIUS server. Turn off the feature that strips the domain name from the user name. For more information, see your NAS documentation.

The user might be using CHAP, but Active Directory might not be configured to use plaintext passwords. To use CHAP authentication with IAS, configure the dial-in profile for a user or group to use CHAP. The NAS and the user’s dialing program (such as Connection Manager) must also be configured to use CHAP authentication. You must also enable CHAP on the domain controller.

“The authentication type is not supported on this system.”

The user is trying to authenticate by using an authentication method that is not supported on this computer. For example, the user might be using an EAP type that has not been installed. Modify the dial-in profile to allow the protocol in question.

“The user’s information did not match a remote access policy.”

“The user is not allowed dial-in access to the network.”

“User attempted an unauthorized authentication method.”

“User tried to connect from an unauthorized calling station.”

“User tried to dial-in outside of permitted hours.”

“User tried to connect by calling an unauthorized NAS phone number.”

“User tried to connect using an invalid port type.”

“A constraint defined in the remote access policy failed.”

A remote access policy might be denying access to the user. Check the policy list to make sure that you have not excluded users who must be granted access. Check the event log to see if the user is trying to connect with parameters that are not permitted by a remote access policy (for example, during an unauthorized time period, using an unauthorized port type, calling from an unauthorized phone number, or calling an unauthorized NAS phone number). You might have to revise the remote access policies accordingly to grant the user access.

Remote access policies might be in the wrong order. Authorization is granted or denied by the first policy whose conditions match the connection attempt. Use the Move Up button to move the policy that grants access to the users who are having trouble so that it is higher in the list.

“The user has exceeded the dial-in lockout count.”

If remote access account lockout is enabled, previous failed access attempts might have caused the user account to be locked out. If so, increase the dial-in lockout count.

“The user’s account is currently locked out and might not be logged on to.”

“The user’s account is locked out and cannot be validated.”

“The user is not allowed dial-in access to the network.”

The user might be denied dial-in access. Check the user’s information on the domain controller (or in Local Users and Groups) to verify that dial-in access is granted for the user. If dial-in access is denied, this overrides any remote access policy that grants access.

“The current configuration supports only local user accounts.”

IAS is set up to authenticate against the local SAM, and the user is not a member of the local user database. In this case, add the IAS server to Active Directory.

“The user’s account domain is unreachable.”

“The server is unavailable.”

“The specified domain did not exist.”

“IAS could not access the Global Catalog.”

There might be a communication problem between the NAS and IAS, or between IAS and the domain controller or Global Catalog server. Use the ping command to check the communication with the domain controller or Global Catalog server. If ping works, try to connect to the server by using the command net use \\servername\share. If no packet information appears in the IAS log, check the Windows 2000 event log to see whether the attempt times out.