none
ASDK 1902 - VPN Connection RRS feed

  • Question

  • Hi,

    I've just deployed a 1902 ASDK version. I'm trying to establish a VPN connection from another host following the steps in the site: 

    https://docs.microsoft.com/en-us/azure/azure-stack/asdk/asdk-connect

    But it always says "The user name or password is incorrect”

    If I go to the ASDK host, in the Event Viewer I see a warning event related to Remote Access. The event says:

    CoId={24464FCD-9F7B-45AA-BA3E-928C49409820}: The user Administrator failed an authentication attempt due to the following reason: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.

    I’ve tried to specify the user AzureStackAdmin in the VPN Connect and the Event Viewer shows:

    CoId={31F4FF77-0020-48FB-ADB4-6FC9B5174C8B}: The user AZURESTACK\AzureStackAdmin failed an authentication attempt due to the following reason: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.

    Any idea how to resolve this issue?

    Thanks

    Monday, March 11, 2019 3:17 PM

All replies

  • I can see from the second error message that you are using the proper username:  AZURESTACK\AzureStackAdmin. Administrator will likely not work. 


    Are you using the same password that you used when you deployed the ASDK? You can verify that by logging into the Azure Stack computer with the "
    AZURESTACK\AzureStackAdmin" account and the password. 

    If your username and password are correct and you can RDP into the ASDK host computer, but you still get the same message when trying to VPN, then the next step leads us to a protocol mismatch. The instructions given will use some specific protocol types, but if you have any custom settings or policies on your computer that force other protocols, the connection will fail. 

    Tuesday, March 12, 2019 4:56 AM
    Moderator
  • Hi

    Thank you for your help.

    I’m sure the username and password are correct. I’m able to access using an RDP connection, but not through VPN.

    I haven’t customized neither the ASDK host configuration nor the client configuration. As you say it could be something related to protocol configuration, but I don’t know where to look or what to check.

    Could you help me? How can I check the protocol configured? I have to use Powershell commands because the “Legacy mode is disabled on this Server” and I don’t have experience using PowerShell commands.

    Thank you, again.

    Tuesday, March 12, 2019 10:39 AM
  • Has anybody managed to establish a VPN connection to the ASDK host with the 1902 version deployed?

    Thanks.



    • Edited by Juan Valero Thursday, March 14, 2019 1:46 PM
    Thursday, March 14, 2019 1:45 PM
  • Hallo Juan,

    I have the same problem even after a new installation, i reverted back to 1901 release.

    Yhe only different i can see is that they change the network of the  Deployment network:

    1901

    InterfaceAlias       : Deployment
    InterfaceIndex       : 9
    InterfaceDescription : Hyper-V Virtual Ethernet Adapter
    NetProfile.Name      : Network
    IPv4Address          : 10.200.133.240
    IPv4DefaultGateway   : 10.200.133.1
    DNSServer            : 192.168.200.67

    2019-03-01 06:50:54 Verbose  [POC:Configure] VPN configuration is done!
    2019-03-01 06:50:56 Verbose  [POC:Configure] NAT IP found: 10.200.133.240.
    2019-03-01 06:50:56 Verbose  [POC:Configure] NatSubnet found: 10.200.133.0/24
    2019-03-01 06:50:56 Verbose  [POC:Configure] Adding new net route destination subnet: '192.168.102.0/24' and NextHop: '' on interface 'HostNIC'
    2019-03-01 06:50:56 Verbose  [POC:Configure] Adding new net route destination subnet: '192.168.105.0/24' and NextHop: '' on interface 'HostNIC'

    1902

    InterfaceAlias       : Deployment
    InterfaceIndex       : 9
    InterfaceDescription : Hyper-V Virtual Ethernet Adapter
    NetProfile.Name      : Network
    IPv4Address          : 10.200.5.210
    IPv4DefaultGateway   : 10.200.5.1
    DNSServer            : 192.168.200.67

    019-03-13 09:11:19 Verbose  [POC:Configure] VPN configuration is done!
    2019-03-13 09:11:21 Verbose  [POC:Configure] NAT IP found: 10.200.5.210.
    2019-03-13 09:11:21 Verbose  [POC:Configure] NatSubnet found: 10.200.5.0/24
    2019-03-13 09:11:21 Verbose  [POC:Configure] Adding new net route destination subnet: '192.168.102.0/24' and NextHop: '' on interface 'HostNIC'
    2019-03-13 09:11:21 Verbose  [POC:Configure] Adding new net route destination subnet: '192.168.105.0/24' and NextHop: '' on interface 'HostNIC'



    Friday, March 15, 2019 5:32 AM
  • Hello,

    I can also confirm the VPN issue with 1902.

    We've yet deployed 2 ASDK's with 1902 and we get the same error message and can't connect with VPN.
    2 other ASDK's with 1901 and 1811 works fine with VPN connection.

    Dennis

    Thursday, March 28, 2019 1:35 PM
  • DO NOT DEPLOY 1902!!! What good does it do to deploy if you cannot access it? I too just deployed 1902 and can confirm VPN does not work. Which is quite sad given issue has been reported for almost a month and there doesn't appear to be an acknowledgement of its existence nor a resolutions.

    Mr Jazze

    Friday, April 5, 2019 4:37 PM
  • Unfortunately this is broken on ASDK build of 1902 and later.  The problem is not with your username and password combination (if you haven't already figured that out), but rather with a change to the protocol used for the P2S connection.  

    To work around this problem you need to do the following.

    Change the settings on the host

    First you’ll need to make changes to the auth protocol used on the ASDK server side. 

    1. RDP to the ASDK host.
    2. Open an elevated PowerShell session, logging in as the AzureStack\AzureStackAdmin using the password you provided at Deployment time.
    3. Run the following commands.

    netsh nps set np name = "Connections to Microsoft Routing and Remote Access server" profileid = "0x100a" profiledata = "1A000000000000000000000000000000" profileid = "0x1009" profiledata = "0x5"

    restart-service remoteaccess -force

    Modify the client side connection script

    The easiest way to do this is to make changes directly to the C:\AzureStack-Tools-master\connect\azurestack.connect.psm1 script module.

    1. Modify the Add-AzsVpnConnection function to change the AuthenticationMethod parameter from MsChapv2 to EAP.

    $connection = Add-VpnConnection -Name $ConnectionName -ServerAddress $ServerAddress -TunnelType L2tp -EncryptionLevel Required -AuthenticationMethod Eap -L2tpPsk $PlainPassword -Force -RememberCredential -PassThru -SplitTunneling

    1. Change the Connect-AzsVpn function to from using rasdial @ConnectionName $User $PlainPassword to using rasphone as EAP requires interactive logon.

    rasphone $ConnectionName

    1. Save your changes and then re-import the azurestack.connect.psm1 module. 
    2. Follow the instructions in the https://docs.microsoft.com/en-us/azure/azure-stack/asdk/asdk-connect#set-up-vpn-connectivity article.
    3. When you go to connect to the ASDK via VPN, you should connect by navigating to Network & Internet Settings | VPN rather than connecting from the taskbar to ensure that you are prompted for credentials (see image below).

    I sincerely apologize for the frustration this has caused!  I'm working on getting this inlcuded in the release notes, fixed in later builds and the tools updated.

    Thanks,

    Scott

    Tuesday, April 23, 2019 9:31 PM
  • Hey Scott,

    I notice that this problem is also in the latest release 1904.

    Am i correct or am i doing something wrong?

    Eelco

    Wednesday, May 8, 2019 6:22 AM
  • Eelco,

    according to the release notes (https://docs.microsoft.com/en-gb/azure-stack/asdk/asdk-release-notes#known-issues) 1904 has "Fixed the VPN connection issue identified here, in release 1902."

    Though I've not had the opportunity to roll it out myself to confirm.

    • Proposed as answer by Matt--B Friday, May 17, 2019 8:47 AM
    • Unproposed as answer by Matt--B Friday, May 17, 2019 8:48 AM
    Wednesday, May 15, 2019 1:09 PM