A computer password is not automatically changed during 802.1X authentication when you select the "Allow client to change password after it has expired" check box in Internet Authentication Service on a Microsoft Windows Server 2003-based computer

Consider the following scenario in Internet Authentication Service (IAS) on a Microsoft Windows Server 2003-based computer:

• You configure the following authentication method for a remote access policy:
  • You enable Protected Extensible Authentication Protocol (PEAP) authentication together with the "Secured password (EAP-MSCHAPv2) EAP" authentication method.
  • In the EAP MSCHAPv2 Properties dialog box, you select the Allow client to change password after it has expired check box.
    
    Note By default, this check box is selected.
• Then, a computer password expires, and it becomes invalid on the domain.

In this scenario, the computer password is not automatically changed when the computer authenticates in IAS by using 802.1X authentication. However, you expect PEAP-MSCHAPv2 authentication to be successful because the Allow client to change password after it has expired check box is selected. You usually experience this problem if the user reauthentication option is disabled in the remote access policy.

This problem occurs because the Allow client to change password after it has expired option applies only to user authentication. This option does not apply to computer authentication. This is true because only user authentication can prompt the user for new credentials. Therefore, 802.1X computer authentication is unsuccessful.

To work around this problem, enable the user authentication option in IAS. When you do this, computer authentication is unsuccessful. However, user authentication is successful. Therefore, a security channel is established, and the computer password is reset.

For more information about how to deploy or configure IAS, visit the following Microsoft Web site: