931125 Windows root certificate program members Update’i ve NPS Authentication Sorunlari

  • Article

Aralik ayinda Root Sertifikalarini update eden ve Server isletim sistemleri icin optional olan update’i yukledikten sonra NPS kullaniyorsaniz 802.1x authentication’da sorunlar yasabilirsiniz.

Bahsettigimiz update su anda Windows Update ve WSUS uzerinden Server isletim Sistemleri icin kaldirilmis durumda eger WSUS Server’inizi sync ederseniz update’in gorulmemesi gerekiyor ve ayrica update gerekli bilgi ile guncellenmis durumda.

Windows Root Certificate Program Members

https://support.microsoft.com/kb/931125

Eger update’i yuklediyseniz ve NPS authentication ( 802.1x )’da sorun yasiyorsaniz asagidaki NPS/IAS server uzerinde asagidaki hata mesajni gorme sansiniz bulunuyor;

 

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: date Time: time User:
Computer: COMPUTERNAME Description: User jsmith@contoso.com was denied access.
Fully-Qualified-User-Name = CONTOSOS\jsmith NAS-IP-Address = 10.20.30.40
NAS-Identifier = WL1234-1
Called-Station-Identifier = 0016.462c.1650
Calling-Station-Identifier = 0012.f05b.a795
Client-Friendly-Name = WL1234-1
Client-IP-Address = 10.20.30.40
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 10037 Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Network Access Policy
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 266
Reason = The message received was unexpected or badly formatted.

Bunun nedeni TLS haberlesmesinde default degerin 16,384 byte olmasi ve yuklenilen Root sertifikalari nedeniyle gonderilen paket boyutunun bu degerin ustune cikmasi ile authentication’in basarili olmamasi.

NPS/IAS serverlarda sorun icin toplanilan netsh loglarinda asagidaki bilgilere de ulasabilirsiniz;

[4104] 08-18 08:21:03:409: EapTlsBegin(domain\username) –> KULLANICI ADI [4104] 08-18 08:21:03:409: SetupMachineChangeNotification
[4104] 08-18 08:21:03:409: State change to Initial
[4104] 08-18 08:21:03:409: EapTlsBegin: Detected 8021X authentication
[4104] 08-18 08:21:03:409: EapTlsBegin: Detected PEAP authentication
[4104] 08-18 08:21:03:409: MaxTLSMessageLength is now 16384 ---> MAXIMUM PAYLOAD UZUNLUGU [4104] 08-18 08:21:03:409: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[4104] 08-18 08:21:03:409: Force IgnoreRevocationOffline on client
[4104] 08-18 08:21:03:409: CRYPT_E_REVOCATION_OFFLINE will be ignored
[4104] 08-18 08:21:03:409: The root cert will not be checked for revocation
[4104] 08-18 08:21:03:409: The cert will be checked for revocation
[4104] 08-18 08:21:03:409: EapPeapBegin done
[4104] 08-18 08:21:03:409: EapPeapMakeMessage
[4104] 08-18 08:21:03:409: EapPeapCMakeMessage, flags(0x80500)
[4104] 08-18 08:21:03:409: Cloned PPP_EAP_PACKET packet
[4104] 08-18 08:21:03:409: PEAP:PEAP_STATE_INITIAL
[4104] 08-18 08:21:03:409: EapTlsCMakeMessage, state(0) flags (0x5060)
[4104] 08-18 08:21:03:409: EapTlsReset
[4104] 08-18 08:21:03:409: State change to Initial
[4104] 08-18 08:21:03:409: EapGetCredentials
[4104] 08-18 08:21:03:409: Flag is Client and Store is Current User
[4104] 08-18 08:21:03:409: GetCachedCredentials Flags = 0x5060
[4104] 08-18 08:21:03:409: FindNodeInCachedCredList, flags(0x5060), default cached creds(0), check thread token(1)
[4104] 08-18 08:21:03:409: No Cert Store. Guest Access requested
[4104] 08-18 08:21:03:409: No Cert Name. Guest access requested
[4104] 08-18 08:21:03:409: Will validate server cert
[4104] 08-18 08:21:03:409: MakeReplyMessage
[4104] 08-18 08:21:03:419: SecurityContextFunction
[4104] 08-18 08:21:03:419: InitializeSecurityContext returned 0x90312
[4104] 08-18 08:21:03:419: State change to SentHello
[4104] 08-18 08:21:03:419: BuildPacket
[4104] 08-18 08:21:03:419: << Sending Response (Code: 2) packet: Id: 4, Length: 118, Type: 13, TLS blob length: 108. Flags: L
[4104] 08-18 08:21:03:419: EapPeapCMakeMessage done
[4104] 08-18 08:21:03:419: EapPeapMakeMessage done
[4104] 08-18 08:21:03:489: EapPeapMakeMessage
[4104] 08-18 08:21:03:489: EapPeapCMakeMessage, flags(0x80500)
[4104] 08-18 08:21:03:489: Cloned PPP_EAP_PACKET packet ---> Serverdan alinan cevap [4104] 08-18 08:21:03:489: PEAP:PEAP_STATE_TLS_INPROGRESS
[4104] 08-18 08:21:03:489: EapTlsCMakeMessage, state(2) flags (0x5000)
[4104] 08-18 08:21:03:489: MakeReplyMessage
[4104] 08-18 08:21:03:489: Blob size 17668 is unacceptable ---> Bu mesaj 16384 degerinden daha fazla olmasi sorun yaratiyor [4104] 08-18 08:21:03:489: MakeAlert(47, Schannel)
[4104] 08-18 08:21:03:489: SecurityContextFunction
[4104] 08-18 08:21:03:489: InitializeSecurityContext returned 0x0
[4104] 08-18 08:21:03:489: State change to RecdFinished. Error: 0x57 –>
Hata olarak geri donen: INVALID PARAMETER

Sorun yasiyorsaniz uygulayabileceginiz uc adim bulunmakta;

1) Install edilmis Root sertifikalarinin backupini alarak silmek,

2) NPS Server uzerinde asagidaki registry’i degerini set etmek;

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Value name: SendTrustedIssuerList
Value type: REG_DWORD
Value data: 0 (False)

3) Domaindeki clientlar icin asagidaki registry degerini set etmek;

HKLM\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13

Value name: MaxTLSMessageLength
Value type: REG_DWORD
Value data: 64000 (Decimal)

Tesekkurler,

Kutlay Aslan
Sr. Support Engineer, Microsoft