Microsoft KB Archive/326474

= HOW TO: Troubleshoot VPN with Extensible Authentication Protocol (EAP) Authentication =

Article ID: 326474

Article Last Modified on 3/29/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition

-



This article was previously published under Q326474



IN THIS TASK
SUMMARY
 * Troubleshoot RRAS That Does Not Recognize the Installed Certificate
 * Troubleshoot VPN That Client Does Not Connect

REFERENCES



SUMMARY
This step-by-step article describes how to troubleshoot Extensible Authentication Protocol (EAP) authentication when you are using it with virtual private network (VPN) connections.

Use an Enterprise Certification Authority (CA) to obtain certificates for EAP authentication. According to the Windows 2000 Server Resource Kit Distributed Systems Guide, stand-alone CAs cannot issue certificates for the smart card logon process.

Troubleshoot RRAS That Does Not Recognize the Installed Certificate
RRAS may not recognize the installed certificate on the profile's Authentication tab (EAP Configuration) in the Smart Card or other Certificate Properties dialog box. There is nothing listed on the Certificate issued to menu.

This problem occurs because of an incorrect configuration when you request the certificate.

To resolve this problem, make sure that the RRAS computer requests the certificate by using the Advanced Form. To do this, follow these steps:  Make sure that the name in the Name box in the Identifying Information dialog box is in the following format:

.com

 Make sure that the server type is Server Authentication Certificate. Make sure that the CSP is Microsoft RSA Schannel Cryptographic Provider. Click to select the Use local machine store check box.

back to the top

Troubleshoot VPN Client That Does Not Connect
An RRAS Profile is configured with the correct, recognized certificate, but the VPN client may not connect. Additionally, you may receive the following error message on the client:

Error 0x80090325: The certificate chain was issued by an untrusted authority.

The following error is listed in the server's System log:

Event 20170

The user DomainUser has connected and failed to authenticate because of the following error: The certificate chain was issued by an untrusted authority.

This problem occurs because the CA certification path is not installed.

To resolve this problem, install the CA Certification Path on both client and server. To do this, select the Retrieve the CA certificate or certificate revocation list from http://CAServerName/certsrv.

back to the top

