"Validate server certificate" option is unexpected to check in Wired network (IEEE 802.3) policies


From forum report, There seems to be large number of enterprise users encounters this issue.

You have a Windows 2008 DC. You create a Wired network policy using Windows 7 GPMC, and the “validate server certificate” option is unchecked. After the GPO is applied, the Windows XP, Vista and Server 2008 start having authentication failure. If you open the policy from a Windows Vista GPMC, and you will find the “validate server certificate” option is checked.




To solve this problem temporarily, you should follow one of the workarounds below:

  • Once this happens, delete and recreate the GPO from Server 2008 (not R2), it works as expected.

  • Create the different OU for the clients, i.e. Win7 clients are in an OU, and Vista and XP are in another OU. Then we create two Wired network policy policies for the option “validate server certificate” respectively.

 

Step to repro:

  1.  Have a windows server 2008 DC, and its domain function level is 2008

  2. Create a wired network GPO and uncheck “validate server certificate” option (under “ Computer Configuration -> policies -> windows settings -> Security Settings -> Wired Network(IEEE 802.3) policies”) using a Windows 7 GPMC

  3. Open this GPO from a Windows Vista GPMC, You will find the “validate server certificate” option is checked.

 Edit: We have released a hotfix to resolve this issue. Please apply the following hotfix if you encounter the same issue:

http://support.microsoft.com/kb/2493933/en-us

Comments (6)

  1. danma_ says:

    Please apply the following hotfix if you encounter the same issue:

    support.microsoft.com/…/en-us

  2. danma_ says:

    Samuel, thanks for sharing.

  3. Jesse Evenson says:

    I have this exact issue, but when I try and create the policy on a Server 2008 machine it gives me an access denied error when trying to create a new 802.1x policy. Not sure what to do now.

  4. Samuel says:

    The hotfix states that it is for Vista and 2008 only.  What about XP because I am still running into problems with this OS.

  5. Samuel says:

    What I did to get this working was to create the policy on a Windows 7 machine and then modify it on the 2008 (non R2) machine.  Creating the policy on the 2008 box first gave me a result that the Windows 7 machines(as well as XP) could not get that policy.  Even though I created it on the Windows 7 group manager and unchecked validate, I still had to log into the 2008 box where it was not checked.

  6. jagat khatri says:

    my server certificate has gone invalid and i am unable to access my mail an error of security error is served when i try to log on my email what to do?