Microsoft KB Archive/822406

= Clients Cannot Authenticate with a Server After You Obtain a New Certificate to Replace an Expired Certificate on the Server =

Article ID: 822406

Article Last Modified on 11/2/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Datacenter Server

-





SYMPTOMS
After you replace an expired certificate with a new certificate on a server that is running Microsoft Internet Authentication Service (IAS) or Routing and Remote Access, clients that have Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) configured to verify the server's certificate can no longer authenticate with the server. When you view the System log in Event Viewer on the client computer, the following event is displayed: Event Type: Error

Event Source: Schannel

Event Category: None

Event ID: 36876

Date:

Time:

User: N/A

Computer:

Description: The certificate received from the remote server has not validated correctly. The error code is 0x80090328.

If you enable verbose logging on the server that is running IAS or Routing and Remote Access (for example, by running the netsh ras set tracing * enable command), information similar to the following is displayed in the Rastls.log file that is generated when a client tries to authenticate.

Note If you are using IAS as your Radius server for authentication, you see this behavior on the IAS server. If you are using Routing and Remote Access, and Routing and Remote Access is configured for Windows Authentication (not Radius authentication), you see this behavior on the Routing and Remote Access server.

1072] 15:47:57:280: CRYPT_E_NO_REVOCATION_CHECK will not be ignored

[1072] 15:47:57:280: CRYPT_E_REVOCATION_OFFLINE will not be ignored

[1072] 15:47:57:280: The root cert will not be checked for revocation

[1072] 15:47:57:280: The cert will be checked for revocation

[1072] 15:47:57:280:

[1072] 15:47:57:280: EapTlsMakeMessage(Example\client)

[1072] 15:47:57:280: >> Received Response (Code: 2) packet: Id: 11, Length: 25, Type: 0, TLS blob length: 0. Flags:

[1072] 15:47:57:280: EapTlsSMakeMessage

[1072] 15:47:57:280: EapTlsReset

[1072] 15:47:57:280: State change to Initial

[1072] 15:47:57:280: GetCredentials

[1072] 15:47:57:280: The name in the certificate is: server.example.com

[1072] 15:47:57:312: BuildPacket

[1072] 15:47:57:312: << Sending Request (Code: 1) packet: Id: 12, Length: 6, Type: 13, TLS blob length: 0. Flags: S

[1072] 15:47:57:312: State change to SentStart

[1072] 15:47:57:312:

[1072] 15:47:57:312: EapTlsEnd(Example\client)

[1072] 15:47:57:312:

[1072] 15:47:57:312: EapTlsEnd(Example\client)

[1072] 15:47:57:452:

[1072] 15:47:57:452: EapTlsMakeMessage(Example\client)

[1072] 15:47:57:452: >> Received Response (Code: 2) packet: Id: 12, Length: 80, Type: 13, TLS blob length: 70. Flags: L

[1072] 15:47:57:452: EapTlsSMakeMessage

[1072] 15:47:57:452: MakeReplyMessage

[1072] 15:47:57:452: Reallocating input TLS blob buffer

[1072] 15:47:57:452: SecurityContextFunction

[1072] 15:47:57:671: State change to SentHello

[1072] 15:47:57:671: BuildPacket

[1072] 15:47:57:671: << Sending Request (Code: 1) packet: Id: 13, Length: 1498, Type: 13, TLS blob length: 3874. Flags: LM

[1072] 15:47:57:702:

[1072] 15:47:57:702: EapTlsMakeMessage(Example\client)

[1072] 15:47:57:702: >> Received Response (Code: 2) packet: Id: 13, Length: 6, Type: 13, TLS blob length: 0. Flags:

[1072] 15:47:57:702: EapTlsSMakeMessage

[1072] 15:47:57:702: BuildPacket

[1072] 15:47:57:702: << Sending Request (Code: 1) packet: Id: 14, Length: 1498, Type: 13, TLS blob length: 0. Flags: M

[1072] 15:47:57:718:

[1072] 15:47:57:718: EapTlsMakeMessage(Example\client)

[1072] 15:47:57:718: >> Received Response (Code: 2) packet: Id: 14, Length: 6, Type: 13, TLS blob length: 0. Flags:

[1072] 15:47:57:718: EapTlsSMakeMessage

[1072] 15:47:57:718: BuildPacket

[1072] 15:47:57:718: << Sending Request (Code: 1) packet: Id: 15, Length: 900, Type: 13, TLS blob length: 0. Flags:

[1072] 15:48:12:905:

[1072] 15:48:12:905: EapTlsMakeMessage(Example\client)

[1072] 15:48:12:905: >> Received Response (Code: 2) packet: Id: 15, Length: 6, Type: 13, TLS blob length: 0. Flags:

[1072] 15:48:12:905: EapTlsSMakeMessage

[1072] 15:48:12:905: MakeReplyMessage

[1072] 15:48:12:905: SecurityContextFunction

[1072] 15:48:12:905: State change to SentFinished. Error: 0x80090318

[1072] 15:48:12:905: Negotiation unsuccessful

[1072] 15:48:12:905: BuildPacket

[1072] 15:48:12:905: << Sending Failure (Code: 4) packet: Id: 15, Length: 4, Type: 0, TLS blob le



CAUSE
This issue may occur if all the following conditions are true:
 * The IAS or Routing and Remote Access server is a domain member, but automatic certificate requests functionality (autoenrollment) is not configured in the domain. Or, the IAS or Routing and Remote Access server is not a domain member.
 * You manually request and receive a new certificate for the IAS or Routing and Remote Access server.
 * You do not remove the expired certificate from the IAS or Routing and Remote Access server.

If an expired certificate is present on the IAS or Routing and Remote Access server together with a new valid certificate, client authentication does not succeed. The &quot;Error 0x80090328&quot; result that is displayed in the Event Log on the client computer corresponds to &quot;Expired Certificate.&quot;



WORKAROUND
To work around this issue, remove the expired (archived) certificate. To do this, follow these steps:  Open the Microsoft Management Console (MMC) snap-in where you manage the certificate store on the IAS server. If you do not already have an MMC snap-in to view the certificate store from, create one. To do so:  Click Start, click Run, type mmc in the Open box, and then click OK. On the Console menu (the File menu in Windows Server 2003), click Add/Remove Snap-in, and then click Add. In the Available Standalone Snap-ins list, click Certificates, click Add, click Computer account, click Next, and then click Finish.

Note You can also add the Certificates snap-in for the user account and for the service account to this MMC snap-in. Click Close, and then click OK.</ol> </li> Under Console Root, click Certificates (Local Computer).</li> On the View menu, click Options.</li> Click to select the Archived certificates check box, and then click OK.</li> Expand Personal, and then click Certificates.</li> Right-click the expired (archived) digital certificate, click Delete, and then click Yes to confirm the removal of the expired certificate.</li> Quit the MMC snap-in. You do not have to restart the computer or any services to complete this procedure.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
Microsoft recommends that you configure automatic certificate requests to renew digital certificates in your organization. For additional information about certificate autoenrollment in Windows XP, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/bb456981.aspx

Keywords: kbprb kbpending kbbug KB822406

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.