Hi I am having a problem with 802.1x authentication. The old CA structure is just 1 Enterprise CA on Windows 2003.(SHA1, 1024) I have a new CA structure....Offline standalone root, Subordinate Enterprise CA. Root Cert is SHA256RSA and 2048. Subca is the same. patched to enable them to handle SHA2). The server has 2 certificates on it 1 from the old CA server which the IAS policies are currently using and I have implemented one from the new SubCA.(Duplicated the "RAS and IAS Certificate", Windows 2003 Enterprise, key length 2048, SHA256RSA.) I published the new Root Certificate and the CRL(valid for 12months) into AD. Group Policy has deployed the new Root and subordinate Certs to the workstations. The workstations are Windows XP SP3. I have validated from the IAS server and the workstations using both certutil -verify {cert file} and PKIView.msc that both the CRLs and AIA's for the server cert, Subordinate Cert and the Root Cert are valid and passing. However when I change the Wireless IAS policy to use the new certificate(restart IAS service), set the workstation Wireless to "Verify Server Certificate". Authentication fails. 1. The workstations have the authmode=2 I have enabled logging(netsh ras set tracing * enable) on both server and workstation and in svchost_RASTLS.log file, the below error occurs: "CertVerifyCertificationChangePolicy succeeded but returned 0x800b0112.Continuing with root has matching". Which from my research is -2146762478 and means CERT_E_UNTRUSTEDCA. A certificate Chain processed correctly but one of the CA Certificates is not trusted by the policy provider. I only have 2 CAs, the root and the subordinate....and in testing they are both valid and verified. The Root CA is installed in the computers "Trusted Root CA" container and the subordinate is in the "Intermediate CA". The physical stores are "Enterprise Stores". Which Certificate is failing? How do I find out? I have tried manually installing both certificates into the Computers appropriate containers but this hasn't made a difference. I think I am on the right track....but need a little extra light. Thanks for any and all assistance.

For root CA queries, post here. http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads Thanks

The problem is probably that the new CA uses SHA 256 Windows XP and 2003 can be patched to have a "limited" support for SHA 256 or higher encryption but it is expected to have compatibility issues with different certificate usage scenarios. Please refer to KB 968730 to read more on this issue http://support.microsoft.com/kb/96873 /Hasain

No this wasn't the problem. The root cause was the Subordinate Certificates weren't in the NTAuth store in the AD. I added them in and AD has pushed them out to the workstations. Wireless authentication is working correctly now. Additonally, my scenario is the one that is meant to be supported...ie I am only doing OS level 802.1x Cert connecting...not as the article refers to application cert validation. But thanks for the reply.