Windows VPN Requires NTLMv1

LAN Manager authentication level set to Send NTLMv2 response onlyrefuse LM
Solution Screenshot

I’ve stumbled upon a seemingly undocumented authentication error in the Windows VPN system.

Error 691: Access was denied because the username and/or password was invalid on the domain.

This can be caused simply by elevating the VPN server’s LM authentication level to 5, which refuses the NTLM protocol. ¬†According to KB823659 requiring NTLMv2 should not break Windows XP connections unless older systems are involved. ¬†However, this configuration does cause client and server authentication errors.

On the server side, the VPN error looks like this:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
User: NT AUTHORITY\SYSTEM
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Error Code: 0xC000006A

To resolve this problem, simply reduce the LM authentication level to 4, “Send NTLMv2 response only\refuse LM.”

3 thoughts on “Windows VPN Requires NTLMv1”

  1. Really great tip. I ran into exactly this problem when using RASDIAL tonight. Took me about an hour to find this post, which solved my problem. Thanks!!

    1. Hi Sean, thank you for writing. I guess this is an oldie but goodie. I’ve updated the tags to include Server 2012. Enjoy your good as new VPN. ????

Leave a Reply

Your email address will not be published.