Great post from Jason Jones on the ISAserver.org Web boards:
Thought this info may be of use...
Had an issue today with ISA VPN authenticating to domain controllers that are configured to only accept NTLMv2. This was a problem as MSCHAP and MSCHAP2 only use NTLMv1 by default and hence you cannot autenticate to an ISA VPN conection as the DC’s refuse the credentials.
This can be fixed with Win2k3 SP1 by adding a reg key on the ISA server and restarting the RRAS service. RRAS can then use NTLMv2 allowing successful VPN auth...hurrah!!
Jason Jones - Silversands - http://www.silversands.co.uk
Thanks Jason! Great tip.
Thomas W Shinder, M.D.
MVP -- ISA Firewalls