VPN connects but Username/Password Incorrect?

[freedomit]

I have a Windows 10 Pro laptop that wont login remote over the VPN and its really annoying me!!!

I format reloaded a laptop with Win10 Anniversary install, the key on the bottom is Win 8 so it installed Windows 10, luckily i saved the Win 10 Pro key before wiping so did a feature upgrade from within the OS to Pro.

Created the VPN and joined to domain no problem, but when i login with a domain user over the VPN i get username/password incorrect. The thing is it cant be as it connects to the Windows 2012R2 Essentials SSTP VPN using the same details and the Server event logs show no audit failures. Looking at the Server security log i can see NPS login success event and a kerberos ticket request.

I have tried 3 different users all with the same results, i have tried logging in as local admin, connecting VPN, ping DC and the swtich user but same issue.

Any ideas other that go to site and login?

 

[Markverhyden]

What is the VPN endpoint? Hopefully not the server.

 

[freedomit]

What is the VPN endpoint? Hopefully not the server.

The Server? Why is that an issue? I find SSTP VPN to be secure enough for small business.

 

[Markverhyden]

All I can say is for years best practices that I read was to never put a MS server on the edge, exposed to the wild. Now if you are running a fully configured firewall in between that is a different matter but personally I'd not do it. Especially of the SBS/Essentials variety. There are many options out there that provide excellent VPN service and have a much small attack surface.

Maybe some others will comment. I'd be interested if others think 2012 is robust and secure enough to be exposed like that.

Back to your original problem. Whenever I run into a credentials/can't access issue it usually revolves around

1. firewall/router setting
2. server vs client configuration conflicts. Specifically related to the connection security protocol. Kind of the square peg and round hole thing.
3. little experience in this but joining a domain over VPN, from what I remember doing support work at DoD, was problematic. Maybe that has improved with more recent OS versions. Has all of this happened remote, via VPN?

 

[freedomit]

The server is protected with a firewall with only port 443 open inbound for the Remote website, RDS gateway and SSTP VPN to function.

We join laptops & desktops to domains over VPN all the time and never have an issue. We do it so we can fully prep the computer ready to be delivered to the customer site. The join to the domain seems to have completed fine, I can see the laptop in AD and the laptop recognises it's part of the domain.

The VPN is configured correctly and connects, once connected I can ping both domain.local and DC by name. I have tried the VPN with both use remote gateway and don't use remote gateway.

So when I login I use the network login option which dials a VPN and then logs in over it. If I enter incorrect credentials is fails to connect the VPN and I see an NPS audit fail in server event logs as expected. If I enter correct credentials the VPN connects ok but I get username/password error and no audit fail in event logs?

 

[YeOldeStonecat]

All I can say is for years best practices that I read was to never put a MS server on the edge, exposed to the wild. ?

Same here...I'd want to format that server if it was hanging RRAS service out in the wild for 5 minutes!
I haven't exposed a servers RRAS to the outside since the NT 4 days. PPTP and IPSec...I prefer a dedicated appliance. SSL these days.

But with this new VPN, it's a whole new technology....and so far, quite secure. I don't have troubleshooting experience with it though. Wondering if it's a setting on the client profile...since it's only happening after a format?

 

[freedomit]

SOLVED!!!

So i tethered the laptop to my mobile, VPN to our Server and joined to our domain successfully but when I logged in same issue. I then connected directly to our LAN and same issue again...username/password incorrect.

So i reinstalled Windows 10 Pro by creating a ei.cfg file on the USB i was installing from and selecting Pro. Repeated same process, joined to customer domain over VPN and this time it logged in. I guess something must have got screwed up in the process of feature upgrading from Home to Pro?

Link to ei.cfg for reference.
http://www.askvg.com/fix-cant-select-windows-10-pro-edition-during-clean-installation/

 

[YeOldeStonecat]

So i reinstalled Windows 10 Pro by creating a ei.cfg file on the USB i was installing from and selecting Pro. Repeated same process, joined to customer domain over VPN and this time it logged in. I guess something must have got screwed up in the process of feature upgrading from Home to Pro?/

THAT...is very interesting. Generally home to pro upgrades have gone fine for me, have done many in the past....no W10 ones though. Good to file away in the memory bank in case I run into it and I'm scratching my head over why some authentication doesn't work.

 

[Markverhyden]

That's the link that was in lcoughy's thread. And his was also about domain authentication, but with server '03.