Non Domain Admin Users Unable to Sign into VPN using LDAP

Comes here often

Non Domain Admin Users Unable to Sign into VPN using LDAP

Remote access vpn works fine using Meraki credentials.  When we moved over to using AD we noticed that only domain admins are able to sign in.  The single DC is also a CA and has a certificate installed which is still valid.  If i take jdoe and attempt to sign in I get:


The remote connection was denied because the user naem and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.


as soon as I add jdoe to domain admins however he is able to connect w/ no issues.  I'm trying to determine what would be the cause of this as the error points to a certificate issue but it works when the same user is an admin.  Has anyone seen anything similar?  Packet captures on a failed connection indicate a response is coming from the DC to reject the login.  


Kind of a big deal

Do regular users have the Dial-In permission in AD?

I don't believe so.  I added the permission to the test account I've been using but that still failed.

I have a client with Server 2016, and the VPN setup to use AD authentication.


I installed Network Policy Services on the server, and then setup a policy for the VPN.


Once that is installed, open up NPS and under NPS\Policies\Connection Request Policies, enable both TS GATEWAY AUTHORIZATION POLICY and Use Windows authentication for all users.


Then under NPS\Policies\Connection\Network Policies enable the RDG_CAP_AllUsers policy.


I can send you screenshots if you PM me.  Also, the  may be a simpler method, depending on the number of uses in your AD.



Dave Anderson

Thanks for the idea.  Hadn't thought about installing another role on the DC, but that might be the easier route for sure.  I'll see about getting that role installed and creating a policy and then re-pointing the MX.  

Kind of a big deal

Is the search DN equal to the base of your AD domain?

Where is the search DN defined for VPN setup?  I know on an ASA that's available and critical but I didn't see that field anywhere on the Meraki dashboard.  The account i'm testing w/ is in a different OU than the domain admins but I've confirmed moving it to the same OU has no impact.  And leaving it in the original OU but making it an admin does allow it to connect.

My mistake.  It doesn't let you specify the base dn.


When the authentication fails - what do you get in the security event log in Windows?

I get a 691 error in Windows.

How are the users entering their user name?  If it is username@domain, you may just username, or domain\username.


Also, check out this thread:

Dave Anderson

Thanks for the links.  Users are entering username as jdoe and then the password.  Fails normally, but if I add jdoe to the Domain Admins group (w/o making any other changes) that account is able to login w/o any issues.  

Modified the setup and found the same thing.  Domain Admins connect w/o a problem but standard users fail.  Looking into if a GPO might be causing the issue.

So switched this to Radius instead of LDAP and getting the same.  Domain Admins get right in; remove the user from that group and it fails w/ an incorrect password.  

@mumbles202 Did you ever setup a Network Policy Manager?

Dave Anderson
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.