Microsoft KB Archive/930455

= After you disable an RCA that was automatically added by a client computer that uses IEEE 802.1X authentication, the Windows XP-based client computer or the Windows Server 2003-based client computer unexpectedly still trusts the RCA =

Article ID: 930455

Article Last Modified on 2/22/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Professional

-



SYMPTOMS
Consider the following scenario:
 * On a Microsoft Windows XP-based client computer or a Microsoft Windows Server 2003-based client computer, you configure the client computer to use IEEE 802.1X authentication.
 * You modify the properties of the IEEE 802.1X authentication method to enable or to disable a Trusted Root Certification Authority (TRCA) by using a TRCA list. For example, you use a TRCA to issue a certificate for a RADIUS Server.

In this scenario, all the check boxes of the RCAs in the TRCA list are not selected by default. However, they are trusted by the client unexpectedly. Additionally, if you use the TRCA list to disable a Root Certification Authority (RCA) that was automatically added during the installation of the operating system, the client unexpectedly still trusts the RCA.

Note If you use the TRCA list to disable a RCA that is manually added, the client will not trust the RCA. This is expected. This problem occurs when you use wired 802.1X or wireless 802.1X together with any kind of authentication method.



CAUSE
This problem occurs because all the TRCAs are always trusted. This is the default behavior. Additionally, the list of TRCAs only refers to the Root Certification Authority that was recently added. Therefore, if you use the TRCA list to disable a Root Certification Authority (RCA) that was automatically added by the client, the client unexpectedly still trusts the RCA.



Steps to reproduce

 * 1) Configure the client network connection to use 802.1X authentication.
 * 2) Make sure that you have added a TRCA on the client.
 * 3) Configure a valid certificate to the RADIUS Server by using the TRCA that is mentioned in step 2.
 * 4) Configure the properties of the 802.1X authentication method on the client. Make sure that you enable the TRCA that is mentioned in step 2 and that you disable one default TRCA.
 * 5) Start 802.1X authentication. For example, enable or disable the Ethernet network adapter.
 * 6) The connection will succeed unexpectedly.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbtshoot kbprb KB930455

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.