I’ve stumbled upon a seemingly undocumented authentication error in the Windows VPN system.
Error 691: Access was denied because the username and/or password was invalid on the domain.
This can be caused simply by elevating the VPN server’s LM authentication level to 5, which refuses the NTLM protocol. According to KB823659 requiring NTLMv2 should not break Windows XP connections unless older systems are involved. However, this configuration does cause client and server authentication errors.
On the server side, the VPN error looks like this:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
User: NT AUTHORITY\SYSTEM
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Error Code: 0xC000006A
To resolve this problem, simply reduce the LM authentication level to 4, “Send NTLMv2 response only\refuse LM.”