"Error 691" error message when you log on to a Windows Server 2003-based computer or a Windows 2000-based computer that is running Routing and Remote Access or Internet Authentication Service

When you try to log on to a Microsoft Windows Server 2003-based computer or a Microsoft Windows 2000 Server-based computer that is running the Routing and Remote Access service or Internet Authentication Service (IAS), you may receive an error message that is similar to the following:

This behavior occurs when you log on to the Windows Server 2003-based computer or the Windows 2000-based computer from a Microsoft Windows 95, Windows 98, Windows Millennium Edition, or Windows NT 4.0-based client computer.

By default, Routing and Remote Access and Internet Authentication Service on Windows Server 2003 and on Windows 2000 do not support clients that use LAN Manager authentication with Microsoft Challenge Handshake Authentication Protocol version 1(MS-CHAP v1). Windows 2000-based clients and Windows XP-based clients do not use LAN Manager authentication with MS-CHAP v1 and do not experience this problem.

To resolve this behavior, use one of the following methods:

Method 1

Change the remote access policy on your server to permit only MS-CHAP v2 authentication. Use this method only if all your dial-up clients or virtual private network (VPN) clients support MS-CHAP v2 authentication. To do this, follow these steps:

1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
2. Right-click the server name that you want to enable authentication protocols for, and then click Properties.
3. On the Security tab, click Authentication Methods.
4. In the Authentication Methods dialog box, click to select the Microsoft Encrypted Authentication Method version 2 (MS-CHAP v2) check box. Click to clear all the other check boxes, and then click OK two times.

Method 2

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To permit LAN Manager authentication with MS-CHAP v1 for operating systems that are earlier than Windows 2000, change the following registry value to 1 on the authenticating server:To do this, follow these steps:

1. Click Start, and then click Run.
2. In the Open box, type regedit, and then click OK.
3. Locate and then double-click the following registry key:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Allow LM Authentication
4. In the Value data box, type 1, and then click OK.
   
   Note In Windows Server 2003, the default value is 0 (off). By default, Windows 2000 Server supports LAN Manager authentication. When you upgrade a computer that is running Windows 2000 Server to a member of the Windows Server 2003 family, the existing value for the
   Allow LM Authentication
   registry key is preserved.

The following clients support MS-CHAP v2:

• Microsoft Windows 95 with the Dial-up Networking 1.3 or 1.4 update installed
• Microsoft Windows 98 with the Dial-up Networking 1.4 update installed
• Microsoft Windows 98 Second Edition
• Microsoft Windows Millennium Edition
• Microsoft Windows NT 4.0 Service Pack 4 or later
• Microsoft Windows 2000
• Microsoft Windows XP
• Microsoft Windows Server 2003