How to Troubleshoot MS-CHAPv2 VPN Connection Errors and Error 691 in Windows RRAS Servers

VPNs are a must for secure online communication—they let you connect to private networks from anywhere, keeping your data safe. But sometimes, getting that connection to work isn’t as smooth as we’d like.

One common headache is when VPN connections fail because of MS-CHAPv2 authentication errors. It’s one of those frustrating issues that can leave you stuck, especially when you’re trying to connect to a Windows RRAS server. Add to that Error 691, and you’ve got a real roadblock.

In this post, we’ll dive into these two problems—MS-CHAPv2 authentication issues and Error 691—and show you how to fix them so you can get your VPN back on track.

What You’ll Learn

By the end of this post, you will be able to:

• Understand what MS-CHAPv2 is and how it affects VPN authentication.
• Learn what Error 691 means and why it occurs during VPN connections.
• Follow a step-by-step guide on how to fix these errors on a Windows RRAS server.

What is MS-CHAPv2?

MS-CHAPv2 (Microsoft Challenge Handshake Authentication Protocol version 2) is an authentication protocol commonly used in VPN connections. It ensures that the user’s identity is verified securely when attempting to access a network.

MS-CHAPv2 works by sending a challenge and response between the client and the server to verify the credentials (such as a username and password).

This protocol is widely used because it provides a good balance between security and compatibility. It’s part of the PPTP (Point-to-Point Tunneling Protocol) and L2TP (Layer 2 Tunneling Protocol) VPN solutions, which are common in Windows environments.

However, like any security protocol, MS-CHAPv2 can run into issues, especially when it is misconfigured or when there are incompatible settings between the client and server.

What is Error 691?

Error 691 is one of the most common errors encountered during VPN connections. It typically appears with the following message:

“The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.”

This error usually happens when the VPN server fails to authenticate the user’s credentials, which can be due to:

• Incorrect username or password.
• An unsupported or misconfigured authentication protocol.
• Authentication methods that are not permitted on the server.

While this error may seem like a simple login issue, the underlying problem could be related to the server’s settings or the authentication protocols in use, especially when MS-CHAPv2 is involved.

How Are MS-CHAPv2 Authentication Issues and Error 691 Connected?

MS-CHAPv2 authentication failures often trigger Error 691. When a VPN client attempts to authenticate using MS-CHAPv2, the server may not be able to process the request properly if the settings do not align between the VPN client, RRAS server, and domain controller. This misalignment can result in the error message described above.

• Read: How to Troubleshoot VPN Error 619 on Windows

A common cause is the NTLM authentication method used by MS-CHAPv2. When the server expects NTLMv2, but the client is trying to use NTLM (which MS-CHAPv2 typically defaults to), authentication fails, leading to Error 691.

3. Common Causes of MS-CHAPv2 VPN Connection Failures

Cause #1: LmCompatibilityLevel Misconfiguration

The LmCompatibilityLevel registry setting plays a crucial role in controlling the way Windows handles NTLM authentication. If this setting is misconfigured, it can prevent the VPN server from correctly processing MS-CHAPv2 authentication requests.

For example, if the LmCompatibilityLevel is set to 5 (Send NTLMv2 response only. Refuse LM & NTLM), the server will reject any authentication request that uses NTLM (which is the default for MS-CHAPv2). Since MS-CHAPv2 uses NTLM by default, the authentication request fails, triggering Error 691.

Cause #2: NTLMv2 and NTLM Authentication Incompatibility

Another issue that causes MS-CHAPv2 failures is the incompatibility between NTLM and NTLMv2. NTLM is an older version of the NT LAN Manager authentication protocol. In contrast, NTLMv2 is a more secure version that is often used for authentication in modern systems.

If a domain controller is configured to accept only NTLMv2 (for better security), it may reject authentication requests that use NTLM. Since MS-CHAPv2 relies on NTLM for password hashing by default, it can cause the authentication to fail when NTLMv2 is enforced, resulting in Error 691.

Cause #3: Domain Controller Settings

The domain controller (DC) settings also play a major role in the success of VPN authentication. If the domain controller is configured to enforce stricter authentication methods, such as NTLMv2 only, and the RRAS server is using older or less secure methods like NTLM, the authentication will fail. In such cases, users may see Error 691 as the failure message.

4. Verifying the VPN Connection Issue

Test #1: Using Clear Text Authentication (PAP)

To identify if the issue is related to MS-CHAPv2, you can first test the connection using a more basic authentication protocol like PAP (Password Authentication Protocol). Since PAP does not use encryption or hashing it bypasses the need for MS-CHAPv2 or NTLM-based authentication.

If the VPN connection succeeds using PAP, the issue likely lies with MS-CHAPv2 settings or the server’s NTLM configuration.

However, since PAP is not secure, it should only be used for testing purposes, not in production environments.

Also Read: How to Fix VPN Error 809 on Windows 10/11

Test #2: Testing MS-CHAPv2 Locally

Another way to verify the problem is to configure MS-CHAPv2 authentication locally on the RRAS server without involving the domain controller.

This way, the authentication process will not rely on the domain controller’s settings, and if the connection succeeds, it indicates the issue is with the domain controller’s configuration or its compatibility with NTLM.

5. Step-by-Step Solution to Fix MS-CHAPv2 VPN Connection Errors and Error 691

Step 1: Locate the LmCompatibilityLevel Registry Key

To start fixing the issue, you need to adjust the LmCompatibilityLevel registry setting on the Windows server. Here’s how you can do it:

1. Press Win + R, type regedit, and press Enter to open the Registry Editor.
2. Navigate to the following path:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel

The LmCompatibilityLevel registry key controls how Windows handles authentication protocols like NTLM. By changing this setting, you ensure compatibility between the RRAS server and domain controllers that require NTLMv2.

Step 2: Modify the LmCompatibilityLevel Setting

1. Right-click on LmCompatibilityLevel and select Modify.
2. Set the Value Data to 1 (Send LM & NTLM responses) or 3 (Send NTLMv2 response only). Setting it to 1 ensures that the server can accept both NTLM and NTLMv2, making it more flexible.
3. Click OK and close the Registry Editor.

Step 3: Enable NTLMv2 Compatibility for the VPN Server

The next step is to enable NTLMv2 compatibility on the RRAS server. This involves creating a registry entry under the RemoteAccess service.

1. Open the Registry Editor again and navigate to:
   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy
2. Right-click the Policy folder and select New > DWORD Value.
3. Name the new DWORD Enable NTLMv2 Compatibility.
4. Set the Value Data to 1 and click OK.

This setting ensures that the RRAS server can communicate with the domain controller using NTLMv2, allowing MS-CHAPv2 authentication to work properly.

Step 4: Restart the RRAS Server

After making the changes to the registry, it’s essential to restart the RRAS server for the new settings to take effect. You can do this by either restarting the server manually or using the Services management console.

Once the server restarts, MS-CHAPv2 authentication should work properly, and Error 691 should no longer appear during VPN connections.

• 8 Ways to Fix the “No Internet, Secured” Error on Windows 10

Additional Troubleshooting Tips

Ensure Domain Controller is Properly Configured

After fixing the immediate MS-CHAPv2 and Error 691 issues, it’s important to make sure that your domain controller settings are properly configured to avoid future authentication failures. The domain controller needs to support the necessary authentication protocols for MS-CHAPv2 to function properly.

• Ensure that the Domain Controller is configured to accept NTLMv2 as a valid authentication protocol. If the DC is set to require NTLMv2 only, it will refuse older versions of NTLM or MS-CHAPv2 requests that use incompatible hashing methods.
• You can verify this in the Group Policy settings under the Security Settings section. Ensure that NTLMv2 is enabled and that LM and NTLM are disabled for security purposes.

Check Account Lockout Policies

It’s also worth checking the account lockout policies on your domain controller. If an incorrect password is entered multiple times during authentication attempts, the account may get locked out.

• Review the account lockout settings in the Group Policy and ensure they are set appropriately.
• If you notice that Error 691 is being triggered frequently, causing account lockouts, you may need to reset the bad password count on the user account to allow further authentication attempts.

Additionally, configuring shorter lockout durations or allowing users to unlock their accounts automatically can be helpful for preventing disruptions when troubleshooting authentication issues.

Review RRAS and Event Logs for Errors

If the problem persists or you want more details on what’s going wrong, review the RRAS server logs and Event Viewer for any relevant error messages.

• Navigate to Event Viewer > Applications and Services Logs > Microsoft > Windows > RemoteAccess to find logs related to VPN connections.
• Look for any entries related to authentication failures, Error 691, or MS-CHAPv2 issues. These logs often provide detailed information that can help you pinpoint the root cause of the problem.

By regularly checking the logs, you can stay ahead of potential problems and ensure that your VPN service is running smoothly.

Conclusion

We’ve covered how MS-CHAPv2 VPN errors and Error 691 often happen due to misconfigured server settings, especially around NTLM and NTLMv2 compatibility. The fix is simple: adjust the LmCompatibilityLevel registry setting and enable NTLMv2 compatibility. Follow the steps, and you’ll get your VPN connections back on track.

For smooth, secure VPN operations, always ensure your authentication protocols are properly configured. Misaligned settings between your RRAS server and domain controller can lead to errors and lockouts.

Final Tips:

• Use secure protocols like NTLMv2 and MS-CHAPv2.
• Regularly check and align server and domain controller settings.
• Test your VPN connection to catch issues early.

By staying proactive with your configuration, you can prevent these common VPN issues from recurring.