Change in username format to UTF8 to handle International Characters

  • Article

As the usage of non-English languages in usernames becomes more and more popular it is important to use the right kind of format for the characters so that the entire character set in these international languages is correctly represented. In Vista/LH ANSI format was used for usernames. ANSI can only represent characters in the 0-127 character set correctly. Extended characters (128-255) are not represented correctly by ANSI. To support complete internationalization the NPS (Microsoft RADIUS server) in Win2K8 R2, by default, expects the characters in the username to be in the UTF-8 format for all authentication protocols. As a result of this change RAS connections from W7 and older RAS clients could fail in certain scenarios, if a Win2K8 R2 NPS is used for authentication. Following are the details of the scenarios that will fail and the workaround to solve the problem

1. The client is running a version of Windows older than Windows 7 and is using Extensible Authentication Protocol (EAP). Windows 7 clients are not affected because by default RAS client in Windows 7 uses UTF-8 format for EAP-based authentication protocols

2. The client is running any version of Windows and is using a non-EAP authentication protocol. This is because the RAS client on Windows 7 and earlier versions of Windows uses only ANSI format for non-EAP authentication protocols

The above problems can be solved by configuring the NPS to accept ANSI format instead of UTF-8. This can be done by setting a registry key.

a) Click Start, click Run, type regedit, and then click OK.

b) Locate the following registry key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEapHostConfiguration

c) Click Edit, click New, and then click DWord Value.

d) Type IdentityEncodingFormat, and then press ENTER.

e) Click Edit, click Modify, type the value 0x1, and then click OK.

f) Exit the Registry Editor.

The above configuration change would however result in EAP-based authentication from a Windows 7 client to fail. To fix this case, the same registry key (shown above) can be set on the Windows 7 client so that the Windows 7 client uses ANSI format for EAP-based authentication protocols too.

If you have a mix of remote access clients, you can use this registry setting to configure all servers and clients to use ANSI until you can upgrade all of the clients to a version of Windows that supports UTF-8 for the authentication methods you need to use.

 

Aanand Ramachandran

Program Manager, RRAS