VPN Log in fails - Unknown User

George_Ellis — Wed, 10 Dec 2025 16:03:15 GMT

We encountered a mystery this week. Suddenly, clients that were working before could not log in. There no faults on the VPN servers. The client was getting a "negotiation failed" message. Retries and reboots failed.

When you look at the VPN logs using this search string:

action:"Failed Log In"

You will find fails and the Mobile Access Details will have:

Reason - Unknown user.

Cause:
Dependencies:
1) The client is set to use Default Browser for authentication. That appears to be the workaround by default for 89.00 to fix the issue with Win 11 2H25. Or the browser has been set per sk180395.
2) The VPN is using SAML authentication

Either by design or user response, when asked if they wish to allow Network Access when they open the VPN site, they clicked Block.

Resolution:
1) Extreme case, delete cookies and select Allow the next time you are challenged.
2) For Edge, use this link to get to the setting and add the vpn urls to the allowed sites (something similar is used for Chrome.)
edge://settings/privacy/sitePermissions/allPermissions/localNetworkAccess
3) (Untested at this point YMMV) - For corporate sites with GPO management, add it as part of the policy. The key is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\LocalNetworkAccessAllowedForUrls]
"1"="[*.]myvpn.mycompany.dotwhatever

Caution is required. The index number, in this case, "1" will overwrite whatever is already "1". Therefore, they need to correctly index that string with what they may already be doing. The above is .reg file format. You can make a .reg file to apply that with the reg header

Windows Registry Editor Version 5.00

If you are unsure of the index numbers, you can ask Grok to write a script to test for the values used and select the next. Grok offered this yesterday for Powershell and I have NOT tested or tried it. Buyer beware.

# Define the registry path and new URL(s) to add : From Grok on request
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Edge\LocalNetworkAccessAllowedForUrls"
$newUrls = @(
    "https://your-vpn-site.example.com"  # Add more here if needed, one per line
    # "[*.]subdomain.example.com"
)

# Create the key if it doesn't exist
if (!(Test-Path $regPath)) {
    New-Item -Path $regPath -Force | Out-Null
}

# Get current values (sorted by name/index)
$existing = Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue | 
            Get-Member -MemberType NoteProperty | 
            Where-Object { $_.Name -match '^\d+$' } | 
            Sort-Object { [int]$_.Name }

# Determine the next starting index
$nextIndex = if ($existing) { [int]($existing[-1].Name) + 1 } else { 1 }

# Add new URLs starting from nextIndex
for ($i = 0; $i -lt $newUrls.Count; $i++) {
    $index = $nextIndex + $i
    Set-ItemProperty -Path $regPath -Name $index -Value $newUrls[$i] -Type String
}

Write-Output "Added $($newUrls.Count) URL(s) starting at index $nextIndex."

H/T to my co-worker Sunil Shivnani for finding the root cause.

Re: VPN Log in fails - Unknown User

the_rock — Wed, 10 Dec 2025 16:38:09 GMT

Very helpful @George_Ellis

topic VPN Log in fails - Unknown User in SASE and Remote Access

VPN Log in fails - Unknown User

Re: VPN Log in fails - Unknown User