Skip navigation
5127 Views 7 Replies Latest reply: Jun 24, 2007 11:38 PM by DeeJay RSS
Calculating status... 8 posts since
Oct 12, 2006
Currently Being Moderated

Jun 19, 2007 3:52 PM

"Invalid username or password" over Win2k3 VPN

Hi folks,

 

This question may be better suited for the Openfire forum, but I thought I would post it here as I don''t know where the culprit is.  Here''s the situation; I''m running Openfire 3.3.1 on a Windows 2003 SP2 server.  I have a mix of Spark 2.5.2 and 2.5.3 clients.  Most of my clients reside on the corporate LAN and connect via the Openfire server''s private IP, with no problems whatsoever.  I also have some telecommuters that run Spark clients on their home machines.  These folks connect to our corporate PPTP VPN server, and once they are connected, they connect their Spark clients to the Openfire server''s private IP just as the corporate LAN users do.

 

Here''s where it gets tricky.  I have an old Windows 2000 Server, running RRAS, which has been acting as my VPN server for a few years now.  When my telecommuters VPN in to this server, their Spark clients authenticate just fine and they can use Spark all day without problems.  However, I''m in the process of replacing my old Windows 2000 servers with new Windows 2003 servers, which I''ve already done for Openfire.  I''ve setup RRAS on a new Windows 2003 SP2 server and have configured PPTP VPN as identical to the Windows 2000 config as possible.  When I point my telecommuters to the new VPN server, they can authenticate with the VPN server just fine.  They also can access any host on the network, including the server running Openfire, via ICMP, RDP, FTP, HTTP, SMB, etc.  However, their Spark clients will no longer authenticate with the Openfire server.  The Spark client will sit on the "authenticating" status for about 2 minutes, and then state, "Invalid username or password".

 

Now I know that the Spark clients are finding the Openfire server, because if I point them to an invalid server IP, the client immediately states that it cannot find the server.  I should note that in Openfire I have "Client Connection Security" set to custom with Old SSL method set to "not available" and TLS method set to "Optional".  I''ve checked everything that I can think of on my VPN server, and I do not have any input or output filters setup, as well as no firewall between it and the Openfire server.  I''ve also enabled debugging on the Spark client, to capture the authentication process, but it did not provide any useful info.  My next step will be to use a network sniffer to capture a network trace of the authentication process, but I wanted to post this first in case someone had some suggestions.

 

Thanks much.

 

-Ryan

  • Silver 366 posts since
    Dec 9, 2006
    Currently Being Moderated
    Jun 19, 2007 4:15 PM (in response to Ryan)
    Re: "Invalid username or password" over Win2k3 VPN

    I have a theory, though it could be complete rubbish.

     

    Does the IP pool your new gateway gives out differ from the old one? The only time I''ve seen this before is when Openfire (or the Windows server it''s running on) attempts to use an odd domain controller to authenticate clients, cannot talk to it and times out after a period of time.

     

    Whilst it shouldn''t matter - does you address you have on your client belong to subnet that is associated with the same site as the 2000 servers pool?

          • Silver 366 posts since
            Dec 9, 2006
            Currently Being Moderated
            Jun 22, 2007 2:00 AM (in response to Ryan)
            Re: "Invalid username or password" over Win2k3 VPN

            How about on your client? The Spark logs should give more information.

             

            If you telnet to your server on port 5222, does the connection stay open (until you press a key and Openfire drops it)?

              • Silver 366 posts since
                Dec 9, 2006
                Currently Being Moderated
                Jun 24, 2007 11:38 PM (in response to Ryan)
                Re: "Invalid username or password" over Win2k3 VPN

                ''Connecting to'' means that it hasn''t/cannot connect. You should (with a windows client) see a blank black window with a flashing cursor.

                 

                To me - your issue looks network related. Can you traceroute to the server from the VPN client?

                 

                Your logs just seem to show an inability to connect the OUTPUT file you posted is just informational (referring to Kerberos auth which I assume you are not using).

More Like This

  • Retrieving data ...

Bookmarked By (0)