ipsec l2tp vpn with smartcard authentication to corporate isa server 2006 vpn server from windows 7 problem
Our company implement ipsec l2tp vpn with smartcard authentication to corporate isa server 2006 vpn server. Our solution works fine with Windows XP and Windows Vista, but with windows 7 we have a problem. When we try to connect from windows 7 workstation to our isa 2006 vpn server a strange error message popup, which states "The local Securiry Authority cannot be contacted". In isa server system log, we found following error message "The user ****** has connected and failed to authenticate on port *****. The line has been disconnected" and "The user ***** connected from ***.****.***.*** but failed ana authentication attempt due to the following reason: The supplied message is incomplete. The signature is not verified"
November 17th, 2009 12:42pm

Hi, Based on my research, I would like to share the following with you: "The Local Security Authority Cannot Be Contacted" (Error 0x80090304) When You Try to Connect to a Remote Access Server I think this issue seems to be related to Case 4: Internet Security and Acceleration (ISA) Server is Configured to Drop Fragmented Packets. When ISA Server is configured to block IP fragments, all IP fragments including AH and ESP fragments are blocked. So you may check the IP fragments settings and make sure the Block IP fragments is unchecked. In addition, please try to establish the connection on the client and check the logging tab on ISA Server Management to see which rule blocked the connection. Thanks. Nicholas Li - MSFT
Free Windows Admin Tool Kit Click here and download it now
November 23rd, 2009 1:16pm

The IP fragments setting checkbox is unchecked. There is a rule, which allow the connection. There is no problem with XP and vista clients. IP settings are derived from dial-in tab in user's active directory profile. The same user with same IP address is connecting from vista or xp station, but not from windows 7.
November 23rd, 2009 7:12pm

Hi, At this time, could you please let us know the following? 1. Where is your RADIUS server installed? Is it a Windows Sever 2003 IAS server or Windows Server 2008 NPS server? 2. For further investigation, please help to collect the ISA log on the RADIUS server. You may refer to the following article about how to decode entries recorded in IAS format log files: Interpret IAS Format Log Files Upload the file to Windows Live SkyDrive and share its URL with us. In addition, please also try the methods in the following Knowledge Base article: 802.1x client authentication fails when you connect to a Windows Server 2003-based computer that is running IAS Thanks. Nicholas Li - MSFT
Free Windows Admin Tool Kit Click here and download it now
November 24th, 2009 2:13pm

Our Company use domain authentication. Our ISA server is domain member and forward authentication to dc's.
November 24th, 2009 5:20pm

I check the ias log in the isa server. In the log, I localize my unsuccessful attempt to establish vpn connection. Afterward, I compare it with successsful vpn connectionlog. The unsuccessful one cannot obtain ip address, while the successful connection obtain an ip address. IP settings are derived from dial-in tab in user's active directory profile.
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2009 3:00pm

Hi, Thank you for your update.Just for a test, please just use another authentication method (such as username and password) besides smartcard when establishing the connection and see if this will be successful.Nicholas Li - MSFT
November 30th, 2009 8:01am

When I use authentication with user name and password (mschapv2) and the same rest settings, the vpn works fine. But our company security policy includes and permits only smart card authentication. I have a doubt, that the problem is in smart card (We work with siemens smart card and omnikey smart card reader). Maybe same incompatibility with windows 7.
Free Windows Admin Tool Kit Click here and download it now
December 2nd, 2009 10:52am

I solve my problem with new generation ISA server. I build a test enviroment with same servers and settings like our network. The result is the same problem. Afterward Iswitch the ISA server with TMG 2010 and problems disappear.
December 3rd, 2009 3:16pm

Is there any other option for me to continue to use ISA Server 2006 as a VPN server. Is there anybody who has reported the same problem.
Free Windows Admin Tool Kit Click here and download it now
December 7th, 2009 5:17pm

Considering this question is more related to ISA server, it is recommended that you go to our Forefront Edge Security Forums for help: http://social.technet.microsoft.com/Forums/en-US/category/forefrontedgesecurity Thanks. Nicholas Li - MSFT
December 8th, 2009 12:59pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics