Hello,
We are deploying Always On VPN device and user tunnels using a powershell script run as SYSTEM via a scheduled startup task.
During testing, everything seemed to go really smoothly, but now we are deploying to live, we are seeing a number of issues we did not experience, and have so far been unable to resolve.
- We have several users whose device tunnels and user tunnels have deployed to their machines. The device tunnels connect ok, but when attempting to connect the user tunnels, they get the error:
"The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the administrator of the RAS server and notify them of this error."
On the client machine, I see event IDs 2027, which states an error code of 812. The various causes for this error do not seem to apply.
Looking at our NPS server, for the times of these connection attempts, we see events 6273 in the security log with a reason code of 16
(Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.)
As we are using user certificate authentication, I don't understand why it would be complaining of a mismatch? Some users are working fine with the same deployment, so what would prevent only some users from not being able to connect (they are all in the same VPN Users security group used on both NPS and the CA where the VPN template sits).
Equally, if I log into another test machine as one of these affected users, I am able to connect without issue.
- We have some users whose device and user tunnels have been deployed, but their device tunnels do not seem to be automatically connecting, even though their user ones are. Again, I cannot see any reason why their machines would not auto connect one but not the other?
Does anyone have any thoughts on what may be ocurring here?
Many thanks
James