Authentication Is Not Successful When You Try to Connect to a RAS Server That Uses EAP-TLS

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article has been archived. It is offered "as is" and will no longer be updated.
When you try to connect to a Remote Access Service (RAS) server that is configured to use Extensible Authentication Protocol with Transport Level Security (EAP-TLS), you may experience one of the following behaviors:
  • You are repeatedly prompted to select a server with which to authenticate.

  • Authentication is not successful.
This behavior can occur if both of the following conditions are true:
  • You try to connect with a remote access or a wireless (802.1x) client computer.

  • Multiple Remote Authentication Dial-In User Service (RADIUS) servers exist with which to authenticate.
RAS client computers, or client computers that connect by using wireless (802.1x) connections, verify the server certificate by default when EAP-TLS authentication is used. This prevents a connection to rogue servers. However, only a single server name and a single root certificate can be used. The client computer tries to connect to the first available server. In a multiple-network environment, where more than one RADIUS server is present, 802.1x machine authentication may be unsuccessful. Also, as other servers are detected, you may be repeatedly prompted to authenticate.
To resolve this problem, obtain the latest service pack for Windows XP. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
322389 How to Obtain the Latest Windows XP Service Pack

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft Web site: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

File information

The English-language version of this fix should have the following file attributes or later:
   Date         Time   Version      Size    File name   ---------------------------------------------------   05-Dec-2001  16:33  5.1.2600.22  57,344  Rastls.dll				

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article. This problem was first corrected in Windows XP Service Pack 1.
More information
This update permits a list of server names and trusted root certificates instead of a single server name and a single root certificate. The user interface is changed to display these selections. This permits you to configure certificate authentication in a large, multiple-RADIUS server network configuration.

For additional information about EAP-TLS, browse to the following Web site:

Article ID: 313695 - Last Review: 01/12/2015 19:24:09 - Revision: 2.0

Microsoft Windows XP Professional

  • kbnosurvey kbarchive kbautohotfix kbhotfixserver kbqfe kbbug kbfix kbnetwork kbwinxpsp1fix KB313695