Windows XP SP3, 802.1x, Server 2008 & mandatory profiles

I’ve been working deploying Aruba wireless solutions for some time now and as no 2 clients network infrastructure are the same it offers some challenges and it keeps me on my toes. 

Pretty much all of the installations that I do use 802.1x authentication for their corporate SSID and most of the clients use Windows server 2003 & Windows XP SP3.  The deployment of the wireless solution is usually pretty smooth as it’s all tried and tested.

Recently I’ve come across an issue with a deployment where the users struggle to authenticate.  The machines authenticated but once the user logged in they couldn’t authenticate.

The main difference in the deployment was the IAS server which was Windows server 2008 (so it’s NPS rather than IAS) but the client OS was Windows XP SP3 which is still pretty normal to see.

 

I double checked the configuration of NPS and it was all fine. The administrator could connect to the wireless and any new users I created could also connect.

I checked the existing user account and noticed that they all used the same mandatory profile which is stored on the server.  A bit of investigation via the power of the mighty google and a few minutes later I found a Microsoft KB titled “A Windows XP Service Pack 3-based client computer cannot use the IEEE 802.1x authentication when you use PEAP with PEAP-MSCHAPv2 in a domain“.

Looking at the title this seemed promising and while reading the KB (see below) this is exactly the configuration and what’s occuring.

  • You configure a Windows Server 2008-based computer as the Network Policy Server (NPS).
  • You enable IEEE 802.1x authentication in the network.
  • You use Protected Extensible Authentication Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2) in the network.

In this scenario, when a Windows XP Service Pack 3 (SP3)-based client computer tries to join the network by using the IEEE 802.1x authentication, the IEEE 802.1x authentication fails.

Notes

  • This problem occurs when you use a user account that uses a mandatory user profile.
  • This problem does not occur when you use a user account that uses a roaming user profile.

You’ll need to call Microsoft to get hold of the hotfix and make sure you don’t believe them if they say “This hotfix is included in XP SP3″ because it isn’t. They tried to fob be off with that.

The hotfix also comes with a disclaimer…

WARNING: This fix is not publicly available through the Microsoft website as it has not gone through full Microsoft regression testing.  If you would like confirmation that this fix is designed to address your specific problem, or if you would like to confirm whether there are any special compatibility or installation issues associated with this fix, you are encouraged to speak to a Support Professional in Product Support Services.

It worked just fine on my clients machines though which made me and them happy.

Here’s the link to the KB. http://support.microsoft.com/kb/969111