Thursday, July 9, 2015

VPN Error 691

Recently I've been having some issues with our VPN - every time I try to connect from home, I get and error 691 - 'Access denied because username and/or password is invalid on the domain'.

When I check the VPN logs, this error pops up as the connection is refused:
...vpn 0x01E=691 R=1...

We use a mobile One Time Password (mOTP) app to provide two-factor authentication, so I checked the secret, the pin and the time all match up on the VPN device and my laptop / phone - all looked good.

After much messing around I've managed to work out that the mobile phone is running about 40 seconds ahead of the VPN device - even though they're both pointing to Internet NTP servers... 40 seconds shouldn't make a difference, should it? Well it does. If I wait until then last 10 seconds of the current valid mOTP password and then connect, no problem. If I use a newly generated mOTP password, then it's a no-go.

So... 40 seconds makes a big difference in the world of VPNs!


No comments:

Post a Comment