VPN-2fa with ntmlv2 and radius on server 2019

Egbert N 1 Reputation point
2021-02-09T09:12:59.947+00:00

Hi hope someone can help,

We have installed a eset secure authenthication with radius for 2fa and ras and NPS.
There is a policy to force NTMLv2 authentication, so we did this resolution with no result:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/lt2p-ipsec-ras-vpn-connections-fail

error:
CoId={48CA41B9-FBE5-0002-0AB1-D948E5FBD601}: The user test2fa connected from * but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

when we disable the policy that forces NTMLv2 it works normally.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,297 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Sunny Qi 10,906 Reputation points Microsoft Vendor
    2021-02-10T07:48:14.073+00:00

    Hi,

    Thanks for posting in Q&A platform.

    My understanding is you created a policy regarding force NTMLv2 authentication, may I know this policy was configured for client or NPS server?

    May I know if the NPS server is also a domain controller?

    Meanwhile, please check and provide the value of LmCompatibilityLevel under registry key [HKLM\SYSTEM\CurrentControlSet\Control\Lsa]

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


  2. Sunny Qi 10,906 Reputation points Microsoft Vendor
    2021-02-10T09:19:30.283+00:00

    Hi,

    Thank you very much for your feedback.

    Please try to modify the value of LmCompatibilityLevel to 3 to see if the client can connect VPN.

    The issue occurs may because clients connections are rejected or refused by the server since the NTLM version used are different by the client(NTLM) and server(Only accepts NTLMv2)

    Value 3 means clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication.

    Value 5 means clients use only NTLMv2 authentication, and they use NTLMv2 session security if the server supports it. Domain controller refuses LM and NTLM authentication responses, but it accepts NTLMv2.

    Please restart Windows to make changes to this entry effective.

    For more details please refer to the following article:

    LmCompatibilityLevel

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.