Friday, September 14, 2007

VPN passwords failing after applying ISA 2004 SP3 to SBS

So we apply ISA 2004 SP3 to a dual NIC SBS 2003 R2 Premium server, reboot, test RWW and OWA and everthing seems fine internally and externally.
 
Later on after we have left the site we try VPN'ing into the server and the login fails. Huh? So we try VPN'ing as another user with higher rights, still no go. This is a problem.
 
So back to the site we go. Firstly we think that maybe the ADSL modem/router needs firmware updating. We plug a laptop into the adsl/modem router and try VPN'ing to the second NIC and we get the same problem. So now we know that it is definately an ISA 2004 issue.
 
Next step is we try and run the Configure Remote Access wizard and it fails telling us to check the log. When we look at the log located at <DRIVE>:\program files\microsoft windows small business server\support\rraslog.txt we see at the bottom :
 
*** Saving changes and restarting services returned ERROR c0040393
*** CRRASCommit::ConfigureISA2k4() returned ERROR c0040393
*** Configure ISA2k4 returned ERROR c0040393
*** CRRASCommit::CommitEx returned ERROR c0040393
So we done some Googling and come across the following article :
 
 
Which says :
 
Go Start | Admininstration Tools | Domain Controller Security Policy
Select Local Policies | User rights assignments and the policies are displayed on the right hand side.
Check of the following policies by double clicking :
 
- Adjust memory quotas for a process
- Generate security audits
- Log on as a service
- Replace a process level token
and ensure they have NETWORK SERVICE displayed in the list of users and groups that are assigned to that policy setting. IF not then you need to add it.
 
Close the policy editor when complete. Run a GPupdate /force from the command prompt and reboot the server.
 
After the reboot we went back in and re-ran the remote access wizard which now completed. VPN access was restored.
 
From the article the issue is due to :
 
"Group Policy settings that were applied at the domain level have modified the policy settings for the Network Service account on the domain controller. This issue mostly occurs after you promote a member server to a domain controller, or on a migration from a Windows 2000 network where SBS 2003 was joined to the 2000 domain."
 
Which is exactly what happened because we used a swing migration on this server from an existing SBS 2000 machine.
 
Very interesting that it only raised its head when we applied ISA SP3, but at least it is now solved after much puzzlement.