Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
7829
Views
0
Helpful
0
Comments

The VPN Client user fails to authenticate with the Windows Active Directory with the CVPN 3000 Concentrator

TCC_2
Level 10
Level 10

on ‎06-22-2009 04:38 PM

Core issue

There are possibly many reasons for extended authentication with Active Directory (AD) to fail for VPN client, but one of the common reasons is the Do not require Kerberos pre-authentication setting under the user profile on the AD.

The Do not require Kerberos pre-authentication setting overrides the default setting that the Kerberos Key Distribution Center requires all accounts to use pre-authentication. The default setting makes offline password-guessing attacks very difficult. You can choose to override the default setting for individual accounts when necessary for compatibility with other implementations of the protocol.

Resolution

Complete these steps in order to resolve this issue:

  1. Open Active Directory Users and Computers.

  2. In the console tree, click Users, or choose the folder that contains the user account.

  3. Right-click the user account, and then choose Properties.

  4. On the Account tab, scroll through the Account options and choose the Do not require Kerberos pre-authentication checkbox, and then click OK.

  5. Try the connection again, and it should now work.
Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents