JSI Tip 6904. When you get a new certificate to replace an expired certificate on your IAS server, clients cannot authenticate?

When your Windows 2000 SP4 or Windows Server 2003 computer tries to authenticate clients that have Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) configured to verify the server's certificate, authentication fails and the client event log contains:

Event Type: Error
Event Source: Schannel
Event Category: None
Event ID: 36876
Date: date
Time: time
User: N/A
Computer: computername
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80090328.

If the IAS server is not a domain member, or if it is a domain member but autoenrollment is not configured in the domain, and both the new and expired certificate exist, you will experience this behavior.

To workaround this issue, remove the expired certificate:

01. On the IAS server, Start / Run / MMC / OK.

02. On the Console menu (the File menu in Windows Server 2003), press Add/Remove Snap-in and press Add.

03. Select Certificates and press Add.

04. Press Computer account.

05. Press Next and Finish.

NOTE: You can also add the Certificates snap-in for user and service accounts to this MMC snap-in.

06. Press Close.

07. Press OK.

08. Under Console Root, press Certificates (Local Computer).

09. On the View menu, press Options.

10. Select the Archived certificates box and press OK.

11. Expand Personal and press Certificates.

12. Right-click the expired (archived) digital certificate and press Delete. Press Yes to confirm.

13. Close the MMC snap-in.

NOTE: See Windows 2000 Certificate Services.

NOTE: See Certificate Autoenrollment in Windows XP.