Not sure what this was about. Just moved the PPTP VPN server on a client network from their old Windows 2003 Server to Windows Server 2008 and suddenly remote clients were getting the error:

Error 812: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

Blah! Nothing changed, just targeting a new server. Found the answer in the NAS policy and it was stupid. For some reason, the default is to deny connections from the Microsoft VPN client.

To fix:

  1. Open the routing and remote access management console.
  2. Right-click on “Remote Access Logging and Policies” then click on Launch NPS.
  3. Click on “Network Policies” in the left pane
  4. Right click on the “Connections to Microsoft Routing and Remote Access server” policy in the right pane and select properties.
  5. Change from “Deny Access” to “Grant Access” on the radio buttons in the middle.
  6. Hit Apply

Not sure why this is denied by default. Don’t really care, it works when you allow it. Hope this helps someone else!

Now, that you’ve got the vpn working, why not write a 4 line batch file to automate the connection and drive mapping for your users?

9 COMMENTS

  1. Thaks very much. Very wierd. VPN users i set up previously could connect but users i added at a later date were getting this error. I have change setting as advised and now later added users can access. Microsoft!!!

  2. This helped me resolve the same issue that was related to a different causing factor. Our VPN server had been running fine for some time using RRAS with NPS on a Hyper-V Host running a virtual Terminal Server as well as a few other virtual servers. After doing windows updates on the Hyper-V host with RRAS it appears I might have got an update that reverted this setting back to a default value. Re-enabling it allowed me to connect again from our remote desktop clients

  3. This worked for me also on 9/9/16 on my Server 2012. Earlier today, I had been implementing 802.1x wireless authentication via NPS. Not sure why/how they altered a separate VPN policy in NPS, but it did.

  4. Thank you very much for this post. Even after more than two years it steered me straight toward the solution I needed.

    Keep up the good work.

  5. Something that might help..

    There is a tab (network connection method) that you have to select type.
    I choose Remote access server and that solved my vpn connection.

    This is on addition on the enable the NPS Policy.

    Hope that might help

  6. I think the “reason” for this is to prevent random strangers from connecting and brute forcing passwords. If the Active Directory user doesn’t specifically have dialin permission set, it fails.

    Instead of setting it to allow, you can add another policy with a higher priority, that restricts it based on group membership and/or other restrictions.

LEAVE A REPLY

Please enter your comment!
Please enter your name here