ISA 2004: User Mappings and Failed VPN Connections

I was working with a customer troubleshooting a VPN connection problem last night.

The short version is: If you're seeing VPN Connections fail for no obvious reason, check to see if you have User Mapping enabled in the ISA VPN properties. It's described as a feature that lets non-Windows users be mapped to Windows user groups, but I'm not (yet) clear on how it works - only that if you don't know you need it, you probably don't, so un-tick it! My initial assumption was that it let RADIUS do the authentication, but RADIUS authentication for VPN connections doesn't depend on this setting and works without it, so I'm a tad clueless for the time being.

The symptom that turning this feature off fixed was a client being able to connect to the ISA Server via PPTP and successfully authenticate (IAS logs show the user was authenticated successfully), but then near-instantly fail to make it from authentication to connection - from memory, an error 691 on the client.

[Update] If you copy the "Failed VPN Connection Attempt" line of the ISA Logs to the clipboard and see this error: FWX_E_VPN_USER_MAPPING_FAILED, you're having a User Mapping problem, so the above might apply.