Article ID: 326474 - View products that this article applies to.
This article was previously published under Q326474
This step-by-step article describes how to troubleshoot Extensible Authentication Protocol (EAP) authentication when you are using it with virtual private network (VPN) connections.
Use an Enterprise Certification Authority (CA) to obtain certificates for EAP authentication. According to the Windows 2000 Server Resource Kit Distributed Systems Guide, stand-alone CAs cannot issue certificates for the smart card logon process.
This problem occurs because of an incorrect configuration when you request the certificate.
To resolve this problem, make sure that the RRAS computer requests the certificate by using the Advanced Form. To do this, follow these steps:
The following error is listed in the server's System log:
Error 0x80090325: The certificate chain was issued by an untrusted authority.
This problem occurs because the CA certification path is not installed.
The user DomainUser has connected and failed to authenticate because of the following error: The certificate chain was issued by an untrusted authority.
To resolve this problem, install the CA Certification Path on both client and server. To do this, select the Retrieve the CA certificate or certificate revocation list from http://CAServerName/certsrv.
The following information is also located in the Vpndeploy.doc file. To view the whole document, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/bb742554.aspxEAP-TLS is designed to be used in conjunction with a certificate infrastructure and either user certificates or smart cards. With EAP-TLS, the VPN client sends its user certificate for authentication and the VPN server sends a computer certificate for authentication. This is the strongest authentication method because it does not rely on passwords.
NOTE: You can use third-party CAs as long as the certificate in the computer store of the IAS server contains the Server Authentication certificate purpose (also known as a certificate usage or certificate issuance policy). A certificate purpose is identified by using an object identifier (OID). The object identifier for Server Authentication is "22.214.171.124.126.96.36.199.1". Additionally, the user certificate installed on the Windows 2000 remote access client must contain the Client Authentication certificate purpose (object identifier "188.8.131.52.184.108.40.206.2"). Certificates from third-party CAs must be issued by using SCHANNEL CSP.
If the VPN server is configured with the Windows authentication provider and is supporting L2TP connections or is authenticating connections by using the EAP-TLS authentication protocol, you must install a computer certificate on the VPN server that can be validated by the VPN client and a root certificate that is used to validate the VPN client.
For additional information about how to configure VPN to use EAP authentication, click the article number below to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/259880/EN-US/ )Configuring VPN to Use Extensible Authentication Protocol (EAP)