Hi All,
We have an L2TP IPsec VPN Setup using the Windows Built in Client and deployed with GPO.
Using the Following Security Settings;
Data Encryption: Required
MS-CHAP, MSCHAP v2
And then use Windows Logon name and password (and domain if any) is checked
We are running into an issue of when a user clicks connect it pops up a Windows Security box asking for the users password. “The username and password is incorrect”
Even though it is using windows auth this pops up every time. and then upon entering the same password it then connects.
We are running Win10 2004
OK> this is a pain. I have it too. The best bet I can find is that a windows feature update changed how the credentials are stored, and even though it prompts for new credentials, never sends those over the wire for authentication.
The only workaround I can find is to run the old school dialer rasphone.exe and connect the vpn from there once. Then it will connect using the regular icon.
Had the same problem a while ago.
Seems to be connected to version 2004 and I think it’s resolved in 20H2 so best bet is to update to 20H2+rest of the updates.
Workaround: Create shortcut with ‘rasphone -d “VPN connection name”’ and if you use it, it will properly use credentials.
Check out: https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/upgrade-to-windows-10-2004-vpn-l2tp-fail/d97f3dc0-f135-4ebe-a8a7-c6e7b6fe9ff9
I have a couple of questions, is there only one device affected? If so, look for the network settings. Maybe it’s on public it should be on private (I assume it’s managed trough ADDS).
If there’s more devices affected check de VPN. Where’s the VPN server installed on?
Hello friend.
Most likely this is because by default Windows VPN will try to use your VPN credentials to authenticate network shares when the VPN is connected.
You can turn this off by editing the file:
%appdata%\microsoft\network\connections\pbk\rasphone
Open it in notepad and set userascredentials to 0
Then save the file and disconnect and reconnect the VPN.
Then assuming the account they are logged on as has the correct username and password, it should automatically authenticate shares.
Also check credential manager for any saved credentials as they should not be needed.
I did have one user today where I just set her VPN credentials the same as her domain and it auto authenticates that way. Because no matter what I did it wouldn’t auto auth.
Edit: May not have understood but I will leave this up anyway
It could be Outlook perhaps asking for the password as when VPN connects it could be defaulting to using VPN creds.
Even that isn’t working for me. It connects without prompting for the password on rasphone but then still asks on the “new” UI
But sending a shortcut to Rasphone to the desktop of all our clients and then instructing users to use that to connect isn’t an issue and gets around the complaints of people needing to enter their passwords
It is all clients that have this issue.
The VPN is hosted on a Win Server 2012R2 RRAS
I see, mine uses the users computer credentials, but not automatically.
Did you check the eventlog on de RRAS? Is there any errors?
Do you use NPS?
Ours is set to auto use creds
It isnt even getting past the client. It doesn’t call anything before the popup happens
Running a trace on our firewall we don’t have any connections coming in until the password is entered
Makes sense. I wish I had been able to set mine up that way but the firewall does not like it.
I only started seeing the issue once some users had to change passwords recently. I attributed it to the feature updates but it could be any old windows update too.
So you get a password prompt, but it still doesn’t reach the server. Seems like your firewall is maybe accepting a VPN also. Are the ports correctly forwarded?
I think it is a bug introduced in 2004 because all the issues happen on our newly issued devices that we rolled out with 2004 and we have had this issue since the end of August but the users have only just told us…
VPN isn’t setup on the Firewall at all. It all forwards to the server.
It looks like it is a Windows UI error as it doesn’t even attempt to make the connection before it prompts for the password
Its possible. I thought I had a user on 1909 that was having the issue too, but I might be mistaken. I only run 20H2 and 1909.
It’s not reaching the server, so somethings wrong with your network settings.
Check your firewall logs, maybe double nat or something.