We are using MSCHAPv2 under PEAP against a IAS Radius Server with Windows 2003 Server as authentication method for Wifi and VPN clients. After last Tuesday's (11/11/2014) update on Windows 2003 server, the server does not allow to connect Windows clients. Clients show error 87 ("wrong parameter") and server log shows the EAP type as "unknows", as it seems it does not recognize PEAP. Linux, MacOS, iOS and Android clients are not affected by the problem.

After removing KB2992611 patch, everything seems to work OK again. But of course, we are not confortable with this bypass (in fact, patch removal was not recommended as it was associated to some more).

It is really strange since Microsoft Security Bulletin MS14-066 does not indicate any functional change, but a vulnerability fix and new cipher suites.

Has anybody experienced the same situation? Any news about a problem with this patch? Does Microsoft know anything about this situation?

Many thanks in advance, Jose.

Has anybody experienced the same situation?

I'm seeing exactly the same behavior here. IAS was rejecting authentication requests from our wireless controller with the error "The message received was unexpected or badly formatted." in the System log on the IAS server. I removed KB2992611 from the IAS server (Windows Server 2003 R2 32-bit) and now it works properly again.

Now I have to decide whether to risk allowing this patch to install on other servers, or accept the risk of running them without this patch.

Philip

• Edited by Philip Bock Thursday, November 13, 2014 4:49 PM

Hello,

Here is hotfix available for this issue also workarounds: http://support.microsoft.com/kb/933430

The problems caused by long list of certificates in Trusted Root Certification Authority.

This error below clearly indicates that. 

Event Type: Warning
Event Source: Schannel
Event Category: None
Event ID: 36885
Date: date
Time: time
User: N/A
Computer: Servername
Description:
When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the  certificate authorities trusted for client authentication and remove those that  do not really need to be trusted.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Hi,

just to clarify we are not using client certificates, so I guess that our problem is not the certificates list. We just use server certificate.

Thank you anyway.

We are seeing the same issue this morning and the installation of KB933430 did not resolve the issue. For now we have had to remove the update MS14-066.

• Edited by MikePalmer Monday, November 17, 2014 9:21 AM

Installation of hotfix KB933430 replaces schannel.dll with version 5.2.3790.4115 (SP2) which is already an rather old version. Our IAS servers are on version 5.2.3790.5014 (SP2) which has appearently this hotfix already incorporated. MS14-066 replaces the schannel.dll by version 5.2.3790.5462.

In other words: the mentioned hotfix is not going to work here as it is already incorporated in the MS14-066 (and some versions released before).

Microsoft has updated the KB article with instructions to disable the cipher suites which this patch adds (https://support.microsoft.com/kb/2992611). I'll probably test this tomorrow and see if it helps. Has anyone checked whether this resolves the issue for them?

Same scenario in my company. After uninstalling 2992611 my RADIUS supplicants authenticated OK again.

Hi,

It seems like that update 3018238 will fix the issue caused by KB 2992611.

Here are some references below for you guys:

Slow SQL Server Performance after Windows Update

https://social.technet.microsoft.com/Forums/en-US/c287fac7-32a3-4eec-91b6-249dc897f75a/slow-sql-server-performance-after-windows-update?forum=winserve

MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014

https://support.microsoft.com/kb/2992611

Best Regards,

Amy

Hi all,

fix 3018238 is only available for W2K8 R2 and W2K12, and we are using W2K3. Therefore, the fix does not apply to our versin... I am afraid we still have the problem.

Thank you anyway.

KB2992611 states that the extension of cipher suites is only applicable to W2k8-R2 and W2012. This is the reason that Microsoft has revised MS14-066 for W2k8-R2 and W2012 only (the added cipher suites are disabled by default in the revised version). That keeps us W2k3 admins stuck with the 3 workarounds that are offered in KB933430 (http://support2.microsoft.com/kb/933430). Forget the hotfix. As explained earlier, the schannel.dll update only extends the list of root certificates that is sent to clients from 12 K to 16 K. Your schannel.dll version is probably already 16 K (check the version for that).

I would propose to implement the 3rd option: block the server from sending its certificate list to clients. This would force clients to present all certificates, in stead of only those that are installed at the server side.

We are planning to implement this workaround in the first week of January. I'll let you know if that solves the problem here.

Small update from my end. The network team did not agree with the implementation of my plan on short term as the impact will be too high when it fails. Offline testing is a bit complicated, so any failure will result in many service calls from end users.

Hi,

thanks for the comment, but I am afraid we are using PEAP and therefore, client must not choose any certificate and, of course, server does not send any root certificates list. That's why the issue you explain does not apply to our case.

Unfortunately, no solution or bypass other than removing the patch (what we did immediately) has been proposed for our problem since it was reported almost two months ago.

Anyway thanks for the interest.

Regards, Jose.

Hi,

thanks for the comment, but I am afraid we are using PEAP and therefore, client must not choose any certificate and, of course, server does not send any root certificates list. That's why the issue you explain does not apply to our case.

Unfortunately, no solution or bypass other than removing the patch (what we did immediately) has been proposed for our problem since it was reported almost two months ago.

Anyway thanks for the interest.

Regards, Jose.

Hello,

we have received the new patches which include update KB3023562 which modifies SCHANNEL.DLL and when we install it, our Radius Server crashes again. We have removed it and we see dependencies on KB3004361 and KB3029944 also, but after system restart, it seems our Radius Server working OK again.  So we face again a situation in which we must remove an update to have our Radius Server working.

Does anybody have any comments about this "new" issue? Has anybody experienced the same problem?

Thanks and regards, Jose.

• Proposed as answer by Pierre-Luc R Tuesday, February 17, 2015 1:50 PM

I confirm the same behavior. We had the issue in November with KB2992611. After uninstalling it, it worked fine.

Then, this morning, the February updates installed and we have the same issue with KB3023562. After uninstalling it, it worked again!

Thanks for the heads up!

I experienced the same problem. In november, after uninstalling KB2992611, our win 2003 IAS RADIUS server was working ok. In february, after installing KB3023562 our RADIUS stopped working again. We'll test uninstalling KB3023562 in the evening. Why Microsoft has not solved this?

Hello,

we had an open case with Microsoft since November regarding KB2992611 and now with KB3023562. We had to uninstall both patches, but yesterday we tried to install KB3023562 which superseded KB2992611 again in combination with registry change mentioned in http://support2.microsoft.com/kb/933430 (Method 3) and it is back to normal operating state. I hope that it'll help some of you lot here.

PS we use PEAP for user authentication, IAS servers are 32bit SP2

• Edited by Jozef Chudy 17 minutes ago