Case 1: A Server Certificate Uses a Key Size of 464 or LessWhen you configure Extensible Authentication Protocol-Transport Level Security (EAP-TLS) on a remote access server, and the server's certificate has a key size of 464-bit or less, the client computer receives the first error message described in the "Symptoms" section of this article when it tries to authenticate with the server.
NoteThe client receives this error message occurs whether the client is configured to validate the server certificate or not.
This issue occurs on both Windows 2000 Service Pack 3 (SP3)-based servers and Window Server 2003-based servers and affects both Windows 2000 SP3 and Windows XP-based clients.
Case 2: EAP Client Tries to Reconnect After it Returns from StandbyWhen a computer that is configured as an EAP client returns from the standby or the hibernation power management mode, it tries to connect to the server by using the EAP session resume feature. However, Internet Authentication Service (IAS) does not currently support the EAP session resume feature. Therefore, the client receives one or both of the error messages described in the "Symptoms" section of this article when it tries to restore the connection.
Case 3: EAP Client Tries To Reconnect an Active VPN SessionWhen a client removes a smart card during an active Virtual Private Networking (VPN) session, disconnects, and then tries to reconnect to the server, the client may receive the following error message:
Case 4: Internet Security and Acceleration (ISA) Server is Configured to Drop Fragmented PacketsIf you configure an ISA Server to permit Point to Point Tunneling Protocol (PPTP)/1723 and Generic Routing Encapsulation (GRE) but to block fragmented packets, the client's smart card-connected VPN session is terminated and the client receives the following error message:
Case 1: A Server Certificate Uses a Key Size of 464 or LessTo work around this issue, configure the server with a certificate whose key length is greater than 464 bits. Microsoft recommends that you use a minimum value of 1024, or for a long-lived key, a length of 2048.
Case 2: EAP Client Tries to Reconnect after Returning from StandbyTo work around this issue, try to connect to the server again.
After the first unsuccessful call when the client returns from standby, the next connection attempt works.
Case 3: EAP Client Tries To Reconnect an Active VPN SessionTo work around this issue, try to connect to the remote access server again.
Case 4: Internet Security and Acceleration (ISA) Server is Configured to Drop Fragmented PacketsTo work around this issue, configure ISA Server to permit incoming fragmented packets. To do so:
- Start the ISA Management utility.
- Under your server or array, locate, and then right-click
IP Packet Filters.
- Click Properties, and then click the
Packet Filters tab.
- Click to clear the Enable filtering of IP fragments check box, and then click OK.
Article ID: 813550 - Last Review: Jan 7, 2008 - Revision: 1