Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

"Error 691" error message when you log on to a Windows Server 2003-based computer or a Windows 2000-based computer that is running Routing and Remote Access or Internet Authentication Service


View products that this article applies to.

Symptoms

When you try to log on to a Microsoft Windows Server 2003-based computer or a Microsoft Windows 2000 Server-based computer that is running the Routing and Remote Access service or Internet Authentication Service (IAS), you may receive an error message that is similar to the following:
Error 691 Access denied because username or password, or both, are not valid on the domain.

↑ Back to the top


Cause

This behavior occurs when you log on to the Windows Server 2003-based computer or the Windows 2000-based computer from a Microsoft Windows 95, Windows 98, Windows Millennium Edition, or Windows NT 4.0-based client computer.

By default, Routing and Remote Access and Internet Authentication Service on Windows Server 2003 and on Windows 2000 do not support clients that use LAN Manager authentication with Microsoft Challenge Handshake Authentication Protocol version 1(MS-CHAP v1). Windows 2000-based clients and Windows XP-based clients do not use LAN Manager authentication with MS-CHAP v1 and do not experience this problem.

↑ Back to the top


Resolution

To resolve this behavior, use one of the following methods:

Method 1

Change the remote access policy on your server to permit only MS-CHAP v2 authentication. Use this method only if all your dial-up clients or virtual private network (VPN) clients support MS-CHAP v2 authentication. To do this, follow these steps:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and Remote Access.
  2. Right-click the server name that you want to enable authentication protocols for, and then click Properties.
  3. On the Security tab, click Authentication Methods.
  4. In the Authentication Methods dialog box, click to select the Microsoft Encrypted Authentication Method version 2 (MS-CHAP v2) check box. Click to clear all the other check boxes, and then click OK two times.

Method 2


Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To permit LAN Manager authentication with MS-CHAP v1 for operating systems that are earlier than Windows 2000, change the following registry value to 1 on the authenticating server:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Allow LM Authentication
To do this, follow these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type regedit, and then click OK.
  3. Locate and then double-click the following registry key:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy\Allow LM Authentication
  4. In the Value data box, type 1, and then click OK.

    Note In Windows Server 2003, the default value is 0 (off). By default, Windows 2000 Server supports LAN Manager authentication. When you upgrade a computer that is running Windows 2000 Server to a member of the Windows Server 2003 family, the existing value for the
    Allow LM Authentication
    registry key is preserved.

↑ Back to the top


More information

The following clients support MS-CHAP v2:
  • Microsoft Windows 95 with the Dial-up Networking 1.3 or 1.4 update installed
  • Microsoft Windows 98 with the Dial-up Networking 1.4 update installed
  • Microsoft Windows 98 Second Edition
  • Microsoft Windows Millennium Edition
  • Microsoft Windows NT 4.0 Service Pack 4 or later
  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows Server 2003

↑ Back to the top


Keywords: KB826157, kbprb

↑ Back to the top

Article Info
Article ID : 826157
Revision : 4
Created on : 10/30/2006
Published on : 10/30/2006
Exists online : False
Views : 398