Microsoft KB Archive/936626

= A computer password is not automatically changed during 802.1X authentication when you select the &quot;Allow client to change password after it has expired&quot; check box in Internet Authentication Service on a Microsoft Windows Server 2003-based computer =

Article ID: 936626

Article Last Modified on 11/30/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Standard x64 Edition

-



SYMPTOMS
Consider the following scenario in Internet Authentication Service (IAS) on a Microsoft Windows Server 2003-based computer:
 * You configure the following authentication method for a remote access policy:
 * You enable Protected Extensible Authentication Protocol (PEAP) authentication together with the &quot;Secured password (EAP-MSCHAPv2) EAP&quot; authentication method.
 * In the EAP MSCHAPv2 Properties dialog box, you select the Allow client to change password after it has expired check box.

Note By default, this check box is selected.
 * Then, a computer password expires, and it becomes invalid on the domain.

In this scenario, the computer password is not automatically changed when the computer authenticates in IAS by using 802.1X authentication. However, you expect PEAP-MSCHAPv2 authentication to be successful because the Allow client to change password after it has expired check box is selected. You usually experience this problem if the user reauthentication option is disabled in the remote access policy.



CAUSE
This problem occurs because the Allow client to change password after it has expired option applies only to user authentication. This option does not apply to computer authentication. This is true because only user authentication can prompt the user for new credentials. Therefore, 802.1X computer authentication is unsuccessful.



WORKAROUND
To work around this problem, enable the user authentication option in IAS. When you do this, computer authentication is unsuccessful. However, user authentication is successful. Therefore, a security channel is established, and the computer password is reset.



MORE INFORMATION
For more information about how to deploy or configure IAS, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/network/bb643123.aspx

Additional query words: RADIUS wireless

Keywords: kbtshoot kbprb KB936626

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.