"The Local Security Authority Cannot Be Contacted" (Error 0x80090304) When You Try to Connect to a Remote Access Server

When a client tries to connect to a remote access server, the client may receive one or both of the following error messages:

Case 1: A Server Certificate Uses a Key Size of 464 or Less

When you configure Extensible Authentication Protocol-Transport Level Security (EAP-TLS) on a remote access server, and the server's certificate has a key size of 464-bit or less, the client computer receives the first error message described in the "Symptoms" section of this article when it tries to authenticate with the server.

NoteThe client receives this error message occurs whether the client is configured to validate the server certificate or not.

This issue occurs on both Windows 2000 Service Pack 3 (SP3)-based servers and Window Server 2003-based servers and affects both Windows 2000 SP3 and Windows XP-based clients.

Case 2: EAP Client Tries to Reconnect After it Returns from Standby

When a computer that is configured as an EAP client returns from the standby or the hibernation power management mode, it tries to connect to the server by using the EAP session resume feature. However, Internet Authentication Service (IAS) does not currently support the EAP session resume feature. Therefore, the client receives one or both of the error messages described in the "Symptoms" section of this article when it tries to restore the connection.

Case 3: EAP Client Tries To Reconnect an Active VPN Session

When a client removes a smart card during an active Virtual Private Networking (VPN) session, disconnects, and then tries to reconnect to the server, the client may receive the following error message: This issue occurs intermittently. This issue may occur if the PIN number is not successfully transferred to the Cryptographic Service Provider (CSP) when the user types it during the reconnection attempt. The remote access server may receive the following event message in the Event log:

Date: date
Source: Smart Card
Logon Time: time
Category: None
Type: Error
Event ID: 7
User: N/A
Computer: computername
Description:
An error occurred while signing a message using the inserted smart card: Provider could not perform the action since the context was acquired as silent. For more information, see Help and Support Center at http://support.microsoft.com. Data: 0000: 80090022

Case 4: Internet Security and Acceleration (ISA) Server is Configured to Drop Fragmented Packets

If you configure an ISA Server to permit Point to Point Tunneling Protocol (PPTP)/1723 and Generic Routing Encapsulation (GRE) but to block fragmented packets, the client's smart card-connected VPN session is terminated and the client receives the following error message:

To work around this issue, use one of the following methods:

Case 1: A Server Certificate Uses a Key Size of 464 or Less

To work around this issue, configure the server with a certificate whose key length is greater than 464 bits. Microsoft recommends that you use a minimum value of 1024, or for a long-lived key, a length of 2048.

Case 2: EAP Client Tries to Reconnect after Returning from Standby

To work around this issue, try to connect to the server again.

After the first unsuccessful call when the client returns from standby, the next connection attempt works.

Case 3: EAP Client Tries To Reconnect an Active VPN Session

To work around this issue, try to connect to the remote access server again.

Case 4: Internet Security and Acceleration (ISA) Server is Configured to Drop Fragmented Packets

To work around this issue, configure ISA Server to permit incoming fragmented packets. To do so:

1. Start the ISA Management utility.
2. Under your server or array, locate, and then right-click IP Packet Filters.
3. Click Properties, and then click the Packet Filters tab.
4. Click to clear the Enable filtering of IP fragments check box, and then click OK.