Udostępnij za pośrednictwem


Frequently Asked Questions

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

 

Frequently Asked Questions

The following are some of the most frequently asked questions regarding Connection Manager and the Connection Manager Administration Kit (CMAK). These questions are based on actual calls to Microsoft product support services and might save you time and effort.

Unexpected profile actions

  • My users can connect to the server when using the service profile, but authentication fails.

  • My VPN service profile takes too long to connect.

  • The connection failed to complete after the user was authenticated.

  • My ISDN users connect at 64 kilobits per second.

  • My merged service profile does not work the way I expect.

  • The Connection Manager interface appears unexpectedly.

  • Nothing happens when my Windows 2000 users double-click the connection icon in the Network and Dial-up Connections folder.

  • My service profile does not work properly when users log on to Windows with it.

Profile administration

  • The phone book for the service profile is not being updated.

  • I cannot populate a previously installed service profile with user credentials and phone numbers.

  • I want to dynamically change the VPN address for a service profile.

Profile creation and development

  • I do not understand the difference between networking settings and dial-up entry names.

  • I want to create a profile in which some numbers dial directly to my corporate network and other numbers connect through a virtual private network (VPN) tunnel.

  • I want to create a VPN-only profile.

  • I want to provide user credentials and phone numbers for my service profile for first-time users.

  • I want to create Connection Manager profiles in more than one language.

Unexpected profile actions

My users can connect to the server when using the service profile, but authentication fails.

Cause: The server running Routing and Remote Access cannot connect to the authentication server.

Solution: Verify connectivity between the server running Routing and Remote Access and the authentication server.

Cause: The authentication server has been improperly specified or configured for dial-up access.

Solution: Verify that the authentication server specified in the service profile is correct. Check the user account and make sure that dial-up access has been enabled. Look up any Group Policy rules that might restrict access by time or date.

Cause: Settings for one or more dial-up entries have been improperly specified.

Solution: Check the security settings for each dial-up entry, including component service profiles. The simplest way to do this is to run the CMAK wizard and choose to edit the service profile. When you reach Dial-up Networking Entries, click each entry, and choose Edit. On the Security tab, make sure that all of the security settings are properly specified. One common error is to select Use advanced security settings for a service profile issued to users using Windows 98.

Solution: Make sure that the phone book files (.pbk) have the correct settings for each dial-up entry. For each phone book you include in the service profile, open the .pbk file, and check the Dial-up Networking entry field, which is the eleventh field, in each POP. Make sure that this field is specified appropriately for each POP in each phone book.

See also:Advanced Customization; Add, edit, or delete POPs by command line

Cause: Prefix and suffix information might have been specified differently in one or more of the component profiles merged into the issued service profile.

Solution: Check the UserNamePrefix and UserNameSuffix keys in every .cms file in the service profile. A value for this key specified in the component profile will override the top-level service profile settings.

See also:Merging phone books and other features from existing service profiles; Providing a realm name; Advanced Customization

My VPN service profile takes too long to connect.

Cause: Certificates are invalid or missing.

Solution: Delays in excess of one minute often indicate a failure in the L2TP/IPSec protocol negotiation. Make sure all service profile users have the newest certificates installed on their computers.

See also:Certificate Services

Cause: A round robin server solution is causing delays in authentication.

Solution: If you are using a round robin server solution for L2TP/IPSec VPN servers, a failure to authenticate on one or more servers can result in variable delays. Depending on the profile settings, Connection Manager might redial each VPN server multiple times. Make sure that each VPN server is configured to accept the profile and that each server is responding.

See also:Configuring round robin

The connection failed to complete after the user was authenticated.

Cause: The service profile contains improper post-connect actions.

Solution: Check the [Connect Actions] section in the service profile's .cms files for proper behavior on target platforms.

See also:Incorporating custom actions

Cause: The routing table update file is attempting to delete a route that does not exist.

Solution: Check the routing table update file for outdated or inaccurate route changes.

See also:Including routing table updates

My ISDN users connect at 64 kilobits per second.

Cause: The ISDNDialMode key value is not set to bind dual channels.

Solution: Use advanced customization techniques to change the value of the ISDNDialMode key to the appropriate value and reissue the profile.

See also:Advanced Customization; Connection Manager keys

My merged service profile does not work the way I expect.

Cause: The settings in component service profiles conflict.

Solution: Check phone book filtering. Your region settings might not be the same in all phone book region (.pbr) files. If you are using custom service types in any or all phone books, you need to apply these to each .cms file.

Solution: Check the realm name information in each .cms file included in the merged service profile. Any realm information in a component profile will be overridden by realm information specified in the .cms file of the top-level profile. You should leave the realm name field in the top-level service profile blank if you need to merge profiles with different realm information.

Solution: Check the tunnel addressing information. Tunnel addressing information specified for the top-level service profile is used for all phone books merged into it.

Solution: Check the settings for the DUN and TUNNELDUN keys in all the .cms files included in the merged service profile. The default dial-up settings originate in the .cms file associated with the user-selected phone book, while VPN settings originate from the top-level .cms file.

See also:Advanced Customization; Providing a realm name; Implementing VPN support; Merging phone books and other features from existing service profiles

The Connection Manager interface appears unexpectedly.

Cause: Internet Explorer is improperly configured for your service.

Solution: Assist your users in changing their Internet Explorer options. In Internet Explorer, click the Tools menu. Click Internet Options, click the Connections tab, and choose the appropriate dial-up option. The default option is to always dial the default connection. However, your profile might work best if a connection is never dialed or if a connection is dialed only when an Internet-based program is started and a network connection is not present.

Cause: Custom actions requiring Internet access continue to run after the connection has been terminated.

Solution: Test the service profile to make sure that all custom actions terminate properly. If necessary, reissue the service profile after you add a disconnect action that ensures that programs terminate properly.

See also:Incorporating custom actions

Nothing happens when my Windows 2000 users double-click the connection icon in the Network and Dial-up Connections folder.

Cause: The installation of the Connection Manager 1.3 software did not complete correctly. Mismatched Connection Manager software binaries are causing the connection software to fail.

Solution: Instruct the user to uninstall the Connection Manager 1.3 software and then to reinstall the profile. To uninstall Connection Manager 1.3, click Start, point to Settings, click Control Panel, double-click Add or Remove Programs, click Microsoft Connection Manager 1.3, and click Remove. This process restores the Windows 2000 Connection Manager binaries on the user’s computer. The user should then reinstall the Connection Manager service profile that included the Connection Manager 1.3 software.

See also:Troubleshooting process; Adding Connection Manager 1.3 to the service profile

My service profile does not work properly when users log on to Windows with it.

Cause: Custom actions have not been enabled to run when users log on to Windows with your service profile.

Solution: Check whether you need to change user registry settings in order to run custom actions when users log on to Windows with your profile. Consider issuing a profile without custom actions for use in logging on to Windows.

See also:Incorporating Connection Manager with logon security

Cause: Connection Manager treats "Log on using dial-up connection" as a separate user with limited permissions. Settings applied to "Log on using dial-up connection," such as proxy configuration, are not applied to individual user accounts after logging on.

Solution: Consider advising your users to log on to their local computers before using a Connection Manager profile to log on to your domain.

See also:Incorporating Connection Manager with logon security

Profile administration

The phone book for the service profile is not being updated.

Cause: Improperly set Internet proxy settings is preventing phone book downloads.

Solution: Check the proxy settings for the service profile. If you are using automatic proxy configuration in your service profile, check those settings and the proxy server.

See also:Common problems and their solutions; Using automatic proxy configuration

Cause: One or more Phone Book Service (PBS) servers is out of service.

Solution: Check the log files on your PBS servers for error messages.

See also:Phone Book Service error messages

Cause: A URL in the service profile points to a server that cannot be found.

Solution: Check the URLs specified in the service profile. You can do this by editing the profile in the CMAK wizard or by checking the settings directly in the [ISP] section of the .cms file. If the profile in question was created by merging other service profiles, check the URLs in all the .cms files used by the profile.

See also:Advanced Customization; Providing phone book support; Merging phone books and other features from existing service profiles

I cannot populate a previously installed service profile with user credentials and phone numbers.

Cause: Updated profiles cannot overwrite user settings.

Solution: Populate the credentials in the .cmp file of the service profile when you create it. Run the CMAK wizard again. Issue the new service profile to your users. Include a custom uninstallation and reinstallation package or instructions on how to uninstall the old service profile and install the new version.

I want to dynamically change the VPN address for a service profile.

Solution: Write a custom pre-tunnel action that adjusts the VPN address in the .cms file as needed. This feature might not be available in future releases. Consider the security implications of dynamically changing a VPN address before you implement this solution.

See also:Incorporating custom actions

Profile creation and development

I do not understand the difference between networking settings and dial-up entry names.

Solution: Dial-up entry names identify combinations of networking settings. You can specify different networking settings for each dial-up entry. You usually name dial-up entries on the Settings tab of the Add POP pane of Phone Book Administrator. Those names appear in the Dial-up Networking Entries pane of the CMAK wizard. Connection Manager uses a dial-up entry to determine which combination of networking settings are required for a service profile.

See also:Incorporating custom dial-up entries

I want to create a profile in which some numbers dial directly to my corporate network and other numbers connect through a virtual private network (VPN) tunnel.

Solution: Create two phone books, one for a direct dial connection and the other for a VPN tunnel to your network. Create a profile with your direct dial phone book. Create a top-level profile that merges the direct dial profile and incorporates the VPN phone book. On the VPN Support pane, select the Phone book from this profile check box.

See also:Merging phone books and other features from existing service profiles; Implementing VPN support

I want to create a VPN-only profile.

Solution: To create a VPN-only profile, start the CMAK wizard. Select the Phone book from this profile check box on the VPN Support pane, and specify a VPN server or a VPN file. Configure the VPN entry or entries with the correct security and addressing information for your network. Do not specify a phone book file on the Phone Book pane, and clear the Automatically download phone book updatescheck box. You do not need to configure the default dial-up entry for the profile. On the last pane of the wizard, select the Advanced Customization check box. On the Advanced Customization pane, click the profile .cms file, click the [Connection Manager] section, and set the value of the Dialup key to zero. Click Apply, and finish the wizard. This will create a VPN-only profile, without a General tab in the Properties dialog box for the profile. Users of your profile will not see any phone or dialing information.

See also:Implementing VPN support; Incorporating VPN entries

I want to provide user credentials and phone numbers for my service profile for first-time users.

Solution: Use advanced customization techniques to assign values to the keys for which you want to provide first-time use data, such as Username. These keys must be assigned in the .cmp file, and they will only be available the first time the profile is used. For passwords, you must edit three keys: PCS, RememberPassword, and Password. The PCS key should always be set to 0; the values of the other keys will vary according to your profile needs. If you want this password to be available to all users who connect from the same computer, you must edit an additional key, KeepDefaultCredentials. If this key is not set to the appropriate value, only the person who installs this profile will have access to the credentials you provide for first-time use. Consider the security implications of providing a password for the first user who installs and uses the profile.

See also:Advanced Customization

I want to create Connection Manager profiles in more than one language.

Solution: You can use the Multi-User Language Interface (MUI) with the CMAK wizard to build a Connection Manager profile in a language other than the one installed with your operating system. You can include the Connection Manager software with that profile, but Connection Manager will appear in the language installed with your operating system, not in the MUI language. You can choose not to include the Connection Manager software with the profile, but your users might not have access to all the current features of Connection Manager.

To include a version of Connection Manager in the same language as the profile, you must build the profile using the CMAK wizard on an operating system that was installed with the appropriate language. The CMAK wizard comes with Windows Server 2003 operating systems. You can also install the CMAK wizard on Windows XP Professional with the Windows Server 2003 Administration Tools Pack.

See also:Creating profiles in multiple languages