Hey there, some days ago I ran into a problem with my clients' RADIUS authentication. I asked the same question in the german forums, but nobody could help me over there, so I'm asking here again. The client's certificate is rejected because of the expiration date, which is 18. Oct 2012. I searched through many logs and network traces, but nothing was to be found. Here are some examples of my logfiles: ISASAM.LOG: [6112] 10-04 09:52:19:344: NT-SAM Names handler received request with user identity DK_ERS. [6112] 10-04 09:52:19:344: Prepending default domain. [6112] 10-04 09:52:19:344: NameMapper::prependDefaultDomain [6112] 10-04 09:52:19:344: SAM-Account-Name is "xxx\DK_ERS". [6112] 10-04 09:52:19:344: Successfully created new RAP Based EAP session for user xxx\DK_ERS. [6112] 10-04 09:52:19:344: No AUTHENTICATION extensions, continuing [6112] 10-04 09:52:19:344: NT-SAM Authentication handler received request for xxx\DK_ERS. [6112] 10-04 09:52:19:344: Validating windows user account xxx\DK_ERS [6112] 10-04 09:52:19:344: Sending LDAP search to xxxxxxx.xxx.wan. [6112] 10-04 09:52:19:344: Successfully validated windows account xxx\DK_ERS. [6112] 10-04 09:52:19:360: Allowed EAP type: 13 [6112] 10-04 09:52:19:360: Succesfully created EAP Host session with session id 7201 [6112] 10-04 09:52:19:360: Processing output from EAP: action:1 [6112] 10-04 09:52:19:360: Inserting outbound EAP-Message of length 6. [6112] 10-04 09:52:19:360: Issuing Access-Challenge. [6112] 10-04 09:52:19:360: No AUTHORIZATION extensions, continuing [8728] 10-04 09:52:19:469: Successfully retrieved session (7201) for user xxx\DK_ERS. [8728] 10-04 09:52:19:469: No AUTHENTICATION extensions, continuing [8728] 10-04 09:52:19:469: Processing output from EAP: action:1 [8728] 10-04 09:52:19:469: Inserting outbound EAP-Message of length 1396. [8728] 10-04 09:52:19:469: Issuing Access-Challenge. [8728] 10-04 09:52:19:469: No AUTHORIZATION extensions, continuing [6112] 10-04 09:52:19:532: Successfully retrieved session (7201) for user xxx\DK_ERS. [6112] 10-04 09:52:19:532: No AUTHENTICATION extensions, continuing [6112] 10-04 09:52:19:532: Processing output from EAP: action:1 [6112] 10-04 09:52:19:532: Inserting outbound EAP-Message of length 1371. [6112] 10-04 09:52:19:532: Issuing Access-Challenge. [6112] 10-04 09:52:19:532: No AUTHORIZATION extensions, continuing [8728] 10-04 09:52:22:547: Successfully retrieved session (7201) for user xxx\DK_ERS. [8728] 10-04 09:52:22:547: EAP-Message appears to be a retransmission. Replaying last action. [6112] 10-04 09:52:22:625: Successfully retrieved session (7201) for user xxx\DK_ERS. [6112] 10-04 09:52:22:625: No AUTHENTICATION extensions, continuing [6112] 10-04 09:52:22:625: Processing output from EAP: action:2 [6112] 10-04 09:52:22:625: Translating attributes returned by EAPHost. [6112] 10-04 09:52:22:625: EAP authentication failed. svchost_RASTLS.LOG: [8728] 10-04 09:52:24:766: EapTlsBegin(xxx\DK_ERS) [8728] 10-04 09:52:24:766: SetupMachineChangeNotification [8728] 10-04 09:52:24:766: State change to Initial [8728] 10-04 09:52:24:766: MaxTLSMessageLength is now 16384 [8728] 10-04 09:52:24:766: CRYPT_E_NO_REVOCATION_CHECK will not be ignored [8728] 10-04 09:52:24:766: CRYPT_E_REVOCATION_OFFLINE will not be ignored [8728] 10-04 09:52:24:766: The root cert will not be checked for revocation [8728] 10-04 09:52:24:766: The cert will be checked for revocation [8728] 10-04 09:52:24:766: [8728] 10-04 09:52:24:766: EapTlsMakeMessage(xxx\dk_ers) [8728] 10-04 09:52:24:766: EapTlsSMakeMessage, state(0) [8728] 10-04 09:52:24:766: EapTlsReset [8728] 10-04 09:52:24:766: State change to Initial [8728] 10-04 09:52:24:766: EapGetCredentials [8728] 10-04 09:52:24:766: Flag is Server and Store is local Machine [8728] 10-04 09:52:24:766: GetCachedCredentials Flags = 0xe1 [8728] 10-04 09:52:24:766: FindNodeInCachedCredList, flags(0xe1), default cached creds(0), check thread token(1) [8728] 10-04 09:52:24:766: pNode->dwCredFlags = 0x11 [8728] 10-04 09:52:24:766: GetCachedCredentials: Using Cached Credentials [8728] 10-04 09:52:24:766: GetCachedCredentials: Hash of the cert in the cache is EE 54 19 40 1D F0 64 0B AA 36 CD 7E 22 56 49 5E |.T.@..d..6.~"VI^| 43 43 16 8C 00 00 00 00 00 00 00 00 00 00 00 00 |CC..............| [8728] 10-04 09:52:24:766: BuildPacket [8728] 10-04 09:52:24:766: << Sending Request (Code: 1) packet: Id: 1, Length: 6, Type: 13, TLS blob length: 0. Flags: S [8728] 10-04 09:52:24:766: State change to SentStart [6112] 10-04 09:52:24:860: [6112] 10-04 09:52:24:860: EapTlsMakeMessage(xxx\dk_ers) [6112] 10-04 09:52:24:860: >> Received Response (Code: 2) packet: Id: 1, Length: 108, Type: 13, TLS blob length: 0. Flags: [6112] 10-04 09:52:24:860: EapTlsSMakeMessage, state(1) [6112] 10-04 09:52:24:860: MakeReplyMessage [6112] 10-04 09:52:24:860: Reallocating input TLS blob buffer [6112] 10-04 09:52:24:860: SecurityContextFunction [6112] 10-04 09:52:24:860: AcceptSecurityContext returned 0x90312 [6112] 10-04 09:52:24:860: State change to SentHello [6112] 10-04 09:52:24:860: BuildPacket [6112] 10-04 09:52:24:860: << Sending Request (Code: 1) packet: Id: 2, Length: 1396, Type: 13, TLS blob length: 2751. Flags: LM [8728] 10-04 09:52:24:922: [8728] 10-04 09:52:24:922: EapTlsMakeMessage(xxx\dk_ers) [8728] 10-04 09:52:24:922: >> Received Response (Code: 2) packet: Id: 2, Length: 6, Type: 13, TLS blob length: 0. Flags: [8728] 10-04 09:52:24:922: EapTlsSMakeMessage, state(2) [8728] 10-04 09:52:24:922: BuildPacket [8728] 10-04 09:52:24:922: << Sending Request (Code: 1) packet: Id: 3, Length: 1371, Type: 13, TLS blob length: 0. Flags: [6112] 10-04 09:52:25:000: [6112] 10-04 09:52:25:000: EapTlsMakeMessage(xxx\dk_ers) [6112] 10-04 09:52:25:000: >> Received Response (Code: 2) packet: Id: 3, Length: 13, Type: 13, TLS blob length: 0. Flags: [6112] 10-04 09:52:25:000: EapTlsSMakeMessage, state(2) [6112] 10-04 09:52:25:000: MakeReplyMessage [6112] 10-04 09:52:25:000: SecurityContextFunction [6112] 10-04 09:52:25:000: AcceptSecurityContext returned 0x80090328 [6112] 10-04 09:52:25:000: State change to SentFinished. Error: 0x80090328 [6112] 10-04 09:52:25:000: Negotiation unsuccessful [6112] 10-04 09:52:25:000: BuildPacket [6112] 10-04 09:52:25:000: << Sending Failure (Code: 4) packet: Id: 4, Length: 4, Type: 0, TLS blob length: 0. Flags: [6112] 10-04 09:52:25:000: AuthResultCode = (-2146893016), bCode = (4) IASRAD.LOG: [8728] 10-04 09:52:52:141: Receive RADIUS packet with size 472 from ::ffff:192.168.54.3 [8728] 10-04 09:52:52:157: message authenticator Attribute added to out-bound RADIUS packet [8728] 10-04 09:52:52:157: Message Authenticator Attribute set in out UDP buffer [6112] 10-04 09:53:52:172: Receive RADIUS packet with size 172 from ::ffff:192.168.54.3 [6112] 10-04 09:53:52:188: message authenticator Attribute added to out-bound RADIUS packet [6112] 10-04 09:53:52:188: Message Authenticator Attribute set in out UDP buffer IASNAP.LOG, I don't understand the error here: [6112] 10-04 09:52:22:625: The request comes from NAS type 0 [6112] 10-04 09:52:22:625: Applying CRP policy:xxxxxxxxxxxxxxxx [6112] 10-04 09:52:22:625: Response type is 2, so disable Quarantine State [6112] 10-04 09:52:22:625: WARNING: No SHV Session Handle [6112] 10-04 09:52:22:625: The request is given quarantine state 3 German message resulting from certutil -v -verify using the client certificate: Aussteller: CN=xxxxxxxCA DC=xxx DC=wan [0,0]: CERT_RDN_IA5_STRING, Lnge = 3 (3/128 Zeichen) 0.9.2342.19200300.100.1.25 Domnenkomponente (DC)="wan" 77 61 6e wan 77 00 61 00 6e 00 w.a.n. [1,0]: CERT_RDN_IA5_STRING, Lnge = 3 (3/128 Zeichen) 0.9.2342.19200300.100.1.25 Domnenkomponente (DC)="xxx" 65 72 73 xxx 65 00 72 00 73 00 x.x.x. [2,0]: CERT_RDN_PRINTABLE_STRING, Lnge = 9 (9/64 Zeichen) 2.5.4.3 Allgemeiner Name (CN)="xxxxxxxCA" 45 72 73 74 65 73 74 43 41 xxxxxxxCA 45 00 72 00 73 00 74 00 65 00 73 00 74 00 43 00 x.x.x.x.x.x.x.C. 41 00 A. Antragsteller: CN=DK_ERS OU=xxxxxxxxxxxxxxxxxxxxxxx OU=x xxxxx DC=xxx DC=wan [0,0]: CERT_RDN_IA5_STRING, Lnge = 3 (3/128 Zeichen) 0.9.2342.19200300.100.1.25 Domnenkomponente (DC)="wan" 77 61 6e wan 77 00 61 00 6e 00 w.a.n. [1,0]: CERT_RDN_IA5_STRING, Lnge = 3 (3/128 Zeichen) 0.9.2342.19200300.100.1.25 Domnenkomponente (DC)="xxx" 65 72 73 xxx 65 00 72 00 73 00 x.x.x. [2,0]: CERT_RDN_PRINTABLE_STRING, Lnge = 7 (7/64 Zeichen) 2.5.4.11 Organisationseinheit (OU)="x xxxxx" 31 20 44 42 45 52 53 x xxxxx 31 00 20 00 44 00 42 00 45 00 52 00 53 00 x. .x.x.x.x.x. [3,0]: CERT_RDN_PRINTABLE_STRING, Lnge = 27 (27/64 Zeichen) 2.5.4.11 Organisationseinheit (OU)="xx xxxxxxxxxxxxxxx xxxxxxxx" 31 37 20 48 61 75 70 74 76 65 72 77 61 6c 74 75 xx xxxxxxxxxxxxx 6e 67 20 44 6f 72 74 6d 75 6e 64 xx xxxxxxxx 31 00 37 00 20 00 48 00 61 00 75 00 70 00 74 00 x.x. .x.x.x.x.x. 76 00 65 00 72 00 77 00 61 00 6c 00 74 00 75 00 x.x.x.x.x.x.x.x. 6e 00 67 00 20 00 44 00 6f 00 72 00 74 00 6d 00 x.x. .x.x.x.x.x. 75 00 6e 00 64 00 x.x.x. [4,0]: CERT_RDN_UTF8_STRING, Lnge = 6 (6/64 Zeichen) 2.5.4.3 Allgemeiner Name (CN)="DK_ERS" 44 4b 5f 45 52 53 DK_ERS 44 00 4b 00 5f 00 45 00 52 00 53 00 D.K._.E.R.S. Zertifikatseriennummer: 15277eb500000000000e 0e 00 00 00 00 00 b5 7e 27 15 dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 1 Hours, 41 Minutes, 39 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 1 Hours, 41 Minutes, 39 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=xxxxxxxCA, DC=xxx, DC=wan NotBefore: 19.10.2011 09:58 NotAfter: 18.10.2012 09:58 Subject: CN=DK_ERS, OU=xx xxxxxxxxxxxxxxx xxxxxxxx, OU=x xxxxx, DC=xxx, DC=wan Serial: 15277eb500000000000e SubjectAltName: Anderer Name:Prinzipalname=DK_ERS@xxx.wan Template: User c0 33 9f 3e c1 90 fc c8 54 c9 b0 9d 49 1e 2a d7 be 21 27 f3 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Zertifikat abrufen ---------------- berprft "Zertifikat (0)" Zeit: 0 [0.0] ldap:///CN=xxxxxxCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xxx,DC=wan?cACertificate?base?objectClass=certificationAuthority berprft "Zertifikat (1)" Zeit: 0 [0.1] ldap:///CN=xxxxxxxCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xxx,DC=wan?cACertificate?base?objectClass=certificationAuthority ---------------- Zertifikat abrufen ---------------- berprft "Basissperrliste (015f)" Zeit: 0 [0.0] ldap:///CN=xxxxxxxCA,CN=xxxxxxx,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xxx,DC=wan?certificateRevocationList?base?objectClass=cRLDistributionPoint berprft "Deltasperrliste (015f)" Zeit: 0 [0.0.0] ldap:///CN=xxxxxxxCA,CN=xxxxxxx,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xxx,DC=wan?deltaRevocationList?base?objectClass=cRLDistributionPoint ---------------- Basissperrliste veraltet ---------------- OK "Deltasperrliste (015f)" Zeit: 0 [0.0] ldap:///CN=xxxxxxxCA,CN=xxxxxxx,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=xxx,DC=wan?deltaRevocationList?base?objectClass=cRLDistributionPoint ---------------- Zertifikat-OCSP ---------------- Keine URLs "Keine" Zeit: 0 -------------------------------- CRL 015f: Issuer: CN=xxxxxxxCA, DC=xxx, DC=wan a0 42 54 3c cc 37 5a 4e cb b6 6a 8e 4d d6 d0 b3 42 a9 eb 09 Delta CRL 015f: Issuer: CN=xxxxxxxCA, DC=xxx, DC=wan 89 fc e9 af 57 49 5d 3d 76 34 4b 87 6b 83 83 a3 d1 d8 0b 08 Application[0] = 1.3.6.1.4.1.311.10.3.4 Verschlsselndes Dateisystem Application[1] = 1.3.6.1.5.5.7.3.4 Sichere E-Mail Application[2] = 1.3.6.1.5.5.7.3.2 Clientauthentifizierung CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=xxxxxxxCA, DC=xxx, DC=wan NotBefore: 18.10.2011 10:12 NotAfter: 02.10.2017 11:05 Subject: CN=xxxxxxxCA, DC=xxx, DC=wan Serial: 6472b2658a6633bc4d10b7d2802034ae Template: CA c0 04 db b0 32 1b b0 05 f2 3f 2b e0 e4 1c c2 69 0a d8 4c 01 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- Zertifikat abrufen ---------------- Keine URLs "Keine" Zeit: 0 ---------------- Zertifikat abrufen ---------------- Keine URLs "Keine" Zeit: 0 ---------------- Zertifikat-OCSP ---------------- Keine URLs "Keine" Zeit: 0 -------------------------------- Exclude leaf cert: 89 66 76 b8 d0 38 56 6f 1f 9f d2 85 fb 36 d4 2b bb 18 f2 f0 Full chain: e2 06 7c 33 3e a9 53 89 74 86 32 03 fd 42 4f a5 13 46 05 71 ------------------------------------ Verfizierte Ausstellungsrichtlinien: Kein Verfizierte Anwendungsrichtlinien: 1.3.6.1.4.1.311.10.3.4 Verschlsselndes Dateisystem 1.3.6.1.5.5.7.3.4 Sichere E-Mail 1.3.6.1.5.5.7.3.2 Clientauthentifizierung Sperrstatussberprfung des untergeordneten Zertifikats erfolgreich abgeschlossen. CertUtil: -verify-Befehl wurde erfolgreich ausgefhrt. Also, this is logged on the server every time a client tries to connect to the NPS: - System - Provider [ Name] Schannel [ Guid] {1F678132-5938-4686-9FDC-C8FF68F15C85} EventID 36887 Version 0 Level 2 Task 0 Opcode 0 Keywords 0x8000000000000000 - TimeCreated [ SystemTime] 2012-10-08T08:08:51.313476500Z EventRecordID 41811 Correlation - Execution [ ProcessID] 552 [ ThreadID] 11888 Channel System Computer xxxx (NPS Server) - Security [ UserID] S-1-5-18 - EventData AlertDesc 45 Does somebody have a clue about this issue? I would greatly appreciate it. Regards, Lenniey

Hi, Thank you for your question. I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Thank you for your understanding and support. Best Regards, Aiden TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Aiden Cao TechNet Community Support

OK thank you! The certificate will (really) be expired tomorrow. So I guess I can't solve this issue until then, but I'm interested in a solution nonetheless, should this particular problem come up again. By the way: Is there any way to force the NPS server to ignore the client certificate's expiration date? It would make the whole transition to new certificates a whole lot easier. Regards, Lenniey

Hi, Why don't we renew the certificate? Renew a certificate with the same key: http://technet.microsoft.com/en-us/library/cc758448(v=WS.10).aspx Renew a certificate with a new key: http://technet.microsoft.com/en-us/library/cc727980(v=ws.10).aspx Regards, DennyPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hey, thank you for the suggestion, but I#m afraid it's not as easy as it sounds... There are multiple (meaning about 70) devices with certificates and they are being issued around in all of Germany. To replace all certificates on every device (note: no PCs, but cash registers running on Windows CE) it would take many many days. At the moment we are using a workaround by plugging them in into docking stations and connect via LAN / IPSec, but that can't last I'm afraid. Eventually we will have to replace all certificates, that's true, but it doesn't explain the error that the certificate is still valid (on server and client), but is shown as expired.

Hi, Have you checked the system clock on both client and server side? Please ensure that the RADIUS server auathenticating devices has the correct system time. Regards, DennyPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hey there, the time settings in both client and server were the first things I checked as the problem occurred, both were identical, due to our NTP Server. The "deadline" for the certificate expiration is over now. Any infos on my previous post? By the way: Is there any way to force the NPS server to ignore the client certificate's expiration date? It would make the whole transition to new certificates a whole lot easier.At the moment we are using a workaround by plugging them in into docking stations and connect via LAN / IPSec, but that can't last I'm afraid. Eventually we will have to replace all certificates, that's true, but it doesn't explain the error that the certificate is still valid (on server and client), but is shown as expired. Regards, Lenniey

Sorry for the double post, but it's getting hotter. If anybody could tell me if it is possible to ignore the client certificate expiration date or not would be awesome. I tried the different ignoreRevocation and so on registry settings for NPS, but it didn't change a thing. We have to enroll all new certificates because of this mess the NPS (or whatever) created, but with this option we'd have more time. My client is getting angrier every passing minute. Regards, Lenniey

I hate the be the person who is going to be blunt, but this is what you need to hear. 1) The certificate has expired, it is end of life, there is no using it after it expires 2) You need to include the *entire* certificate lifecycle in your design plans. The design at your customer/client did not include renewals as part of the design 3) You cannot even do renewals (rfc-definition) because you cannot sign the renewal request with the previous certificate because it is expired 4) Revocation checking is irrelevant when a certificate is expired. Expiration is a validity separate test, and your cert fails because it is expired NPS did not create this mess. Poor certificate management processes caused this mess. Bottom line, start the certificate replacement process ASAP. For now, you are going to have to drop down to a non-certificate based solution (or at least one with just server-side). You really do not mention the application that you are using RADIUS with. If this is for wireless/wired 802.1x, you need to drop down to PEAP. If this is VPN, drop down to PPTP. Once they can connect, get them new certs and then you can move backup to using certificate-based auth Brian

Well, thanks for being blunt, but that's what I needed to hear. As for the created mess: The initial problem was, that the NPS rejected a 100% valid certificate as expired, as you can see in my first post. I know that we have to replace all certificates, like I also stated above, but I would have wanted to see if anyone else had the problem of valid certificates being rejected because of "expiration". I don't like the idea to enroll all new certificates to clients just to maybe have to dealt with this problem again. The revocation checks were my last clutch at any straw I could get, but well, it was obvious they wouldn't suffice. As for the infrastructure we're using: EAP-TLS, WLAN via Cisco APs, connected to our LAN (DCs, NPS, etc.) via Linux firewalls / gateways via IPSec tunnels from different locations in Germany. We are now going to enroll new certificates by hand, because the machines connecting to our LAN are running Windows CE and are therefore not able to enter our domain. So that's what we're going to do, thank you all for the input. Regards, Lenniey