Authentication with PEAP-MSCHAPv2 against IAS Radius in W2003 Server not working after Windows update
We are using MSCHAPv2 under PEAP against a IAS Radius Server with Windows 2003 Server as authentication method for Wifi and VPN clients. After last Tuesday's (11/11/2014) update on Windows 2003 server, the server does not allow to
connect Windows clients. Clients show error 87 ("wrong parameter") and server log shows the EAP type as "unknows", as it seems it does not recognize PEAP. Linux, MacOS, iOS and Android clients are not affected by the problem.
After removing KB2992611 patch, everything seems to work OK again. But of course, we are not confortable with this bypass (in fact, patch removal was not recommended as it was associated to some more).
It is really strange since Microsoft Security Bulletin MS14-066 does not indicate any functional change, but a vulnerability fix and new cipher suites.
Has anybody experienced the same situation? Any news about a problem with this patch? Does Microsoft know anything about this situation?
Many thanks in advance, Jose.
November 13th, 2014 1:15pm
Has anybody experienced the same situation?
I'm seeing exactly the same behavior here. IAS was rejecting authentication requests from our wireless controller with the error "The message received was unexpected or badly formatted." in the System log on the IAS server. I removed KB2992611
from the IAS server (Windows Server 2003 R2 32-bit) and now it works properly again.
Now I have to decide whether to risk allowing this patch to install on other servers, or accept the risk of running them without this patch.
Philip
-
Edited by
Philip Bock
Thursday, November 13, 2014 4:49 PM
November 13th, 2014 4:43pm
Hello,
Here is hotfix available for this issue also workarounds: http://support.microsoft.com/kb/933430
The problems caused by long list of certificates in Trusted Root Certification Authority.
This error below clearly indicates that.
Event Type:
Warning
Event Source:
Schannel
Event Category:
None
Event ID:
36885
Date:
date
Time:
time
User:
N/A
Computer:
Servername
Description:
When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities
that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
November 14th, 2014 10:46am
Hi,
just to clarify we are not using client certificates, so I guess that our problem is not the certificates list. We just use server certificate.
Thank you anyway.
November 17th, 2014 8:38am
We are seeing the same issue this morning and the installation of KB933430 did not resolve the issue. For now we have had to remove the update MS14-066.
-
Edited by
MikePalmer
Monday, November 17, 2014 9:21 AM
November 17th, 2014 9:21am
Installation of hotfix KB933430 replaces schannel.dll with version 5.2.3790.4115 (SP2) which is already an rather old version. Our IAS servers are on version 5.2.3790.5014 (SP2) which has appearently this hotfix already incorporated. MS14-066 replaces
the schannel.dll by version 5.2.3790.5462.
In other words: the mentioned hotfix is not going to work here as it is already incorporated in the MS14-066 (and some versions released before).
November 17th, 2014 2:56pm
Microsoft has updated the KB article with instructions to disable the cipher suites which this patch adds (https://support.microsoft.com/kb/2992611). I'll probably test this tomorrow and see if it helps. Has anyone checked whether this resolves the issue
for them?
November 17th, 2014 7:01pm
Same scenario in my company. After uninstalling 2992611 my RADIUS supplicants authenticated OK again.
December 4th, 2014 4:48pm
Hi all,
fix 3018238 is only available for W2K8 R2 and W2K12, and we are using W2K3. Therefore, the fix does not apply to our versin... I am afraid we still have the problem.
Thank you anyway.
December 19th, 2014 8:27am
KB2992611 states that the extension of cipher suites is only applicable to W2k8-R2 and W2012. This is the reason that Microsoft has revised MS14-066 for W2k8-R2 and W2012 only (the added cipher suites are disabled by default in the revised version). That
keeps us W2k3 admins stuck with the 3 workarounds that are offered in KB933430 (http://support2.microsoft.com/kb/933430). Forget the hotfix. As explained earlier, the schannel.dll update only extends the list of
root certificates that is sent to clients from 12 K to 16 K. Your schannel.dll version is probably already 16 K (check the version for that).
I would propose to implement the 3rd option: block the server from sending its certificate list to clients. This would force clients to present all certificates, in stead of only those that are installed at the server side.
We are planning to implement this workaround in the first week of January. I'll let you know if that solves the problem here.
December 23rd, 2014 3:55pm
Small update from my end. The network team did not agree with the implementation of my plan on short term as the impact will be too high when it fails. Offline testing is a bit complicated, so any failure will result in many service calls from end users.
January 7th, 2015 8:55am
Hi,
thanks for the comment, but I am afraid we are using PEAP and therefore, client must not choose any certificate and, of course, server does not send any root certificates list. That's why the issue you explain does not apply to our case.
Unfortunately, no solution or bypass other than removing the patch (what we did immediately) has been proposed for our problem since it was reported almost two months ago.
Anyway thanks for the interest.
Regards, Jose.
January 9th, 2015 8:00am
Hi,
thanks for the comment, but I am afraid we are using PEAP and therefore, client must not choose any certificate and, of course, server does not send any root certificates list. That's why the issue you explain does not apply to our case.
Unfortunately, no solution or bypass other than removing the patch (what we did immediately) has been proposed for our problem since it was reported almost two months ago.
Anyway thanks for the interest.
Regards, Jose.
Hello,
we have received the new patches which include update KB3023562 which modifies SCHANNEL.DLL and when we install it, our Radius Server crashes again. We have removed it and we see dependencies on KB3004361 and KB3029944 also, but after
system restart, it seems our Radius Server working OK again. So we face again a situation in which we must remove an update to have our Radius Server working.
Does anybody have any comments about this "new" issue? Has anybody experienced the same problem?
Thanks and regards, Jose.
-
Proposed as answer by
Pierre-Luc R
Tuesday, February 17, 2015 1:50 PM
February 17th, 2015 8:06am
I confirm the same behavior. We had the issue in November with
KB2992611. After uninstalling it, it worked fine.
Then, this morning, the February updates installed and we have the same issue with
KB3023562. After uninstalling it, it worked again!
Thanks for the heads up!
February 17th, 2015 1:51pm
I experienced the same problem. In november, after uninstalling KB2992611, our win 2003 IAS RADIUS server was working ok. In february, after installing KB3023562 our RADIUS stopped working again. We'll test uninstalling KB3023562 in the evening. Why Microsoft
has not solved this?
February 20th, 2015 5:57pm
Hello,
we had an open case with Microsoft since November regarding KB2992611 and now with KB3023562. We had to uninstall both patches, but yesterday we tried to install KB3023562 which superseded KB2992611 again in combination with registry change mentioned in
http://support2.microsoft.com/kb/933430 (Method 3) and it is back to normal operating state. I hope that it'll help some of you lot here.
PS we use PEAP for user authentication, IAS servers are 32bit SP2
-
Edited by
Jozef Chudy
17 minutes ago
March 9th, 2015 3:18am