2.2.3.1.1 EAPTLS_CONN_PROPERTIES

This data structure specifies the configuration for the Microsoft implementation of EAP-TLS as specified in [RFC2716], on the client. The fields are as follows.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Version

Size

Flags

TrustedCertHashInfo (24 bytes)

...

...

ServerName (variable)

...

NumberOfCAs

TrustedCertHashInfoList (variable)

...

Version (4 bytes): A 4-byte unsigned integer set to 2.

Size (4 bytes): A 4-byte unsigned integer set to the total size of EAPTLS_CONN_PROPERTIES data structure.

Flags (4 bytes): A 4-byte unsigned integer indicating the properties for EAP-TLS configuration by setting the following bit values.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

F

E

D

C

B

A

Where the bits are defined as:

Value

Description

A

                

EapTlsRegistry: If set to 1, clients use a certificate present in the Current User or Local Computer certificate store on the target machine. If set to 0, clients use a certificate present on a smart card.

B

                

EapTlsNoValidateServerCert: If set to 1, the client disables validation of the computer certificate of the authenticating server.

C

                

EapTlsNoValidateName: If set to 1, the client disables matching of the name of the authenticating server as indicated in the ServerName field.

D

                

EapTlsDifferentUsername: If not set to 1, the client uses the subject principal name from the certificate used for authentication.

E

                 

EapTlsSimpleCertSel: If set to 1, the client simplifies the list of certificates with which the user is prompted for selection. The client groups the certificates that are usable for EAP-TLS authentication based on the entity that was issued the certificate as indicated by the Subject Alternative Name and Subject fields of the certificates. If more than one such group is present, the client selects the most recently issued certificate from each group to create the list that is presented to the user so the user can select a certificate to be used for authentication. This setting is ignored if EapTlsRegistry bit is not set.

F

                

EapTlsDisablePromptValidation: If set to 1, the client does not prompt the user during the process of validating the certificate of the authenticating server.<16>

TrustedCertHashInfo (24 bytes): Contains the certificate information of the trusted root certification authority (CA) that the client trusts to accept a certificate of the authenticating server. This field is ignored by the client if EapTlsNoValidateServerCert is set. These 24 bytes are set to 0 if no trusted root certification authorities are indicated.

This field format is defined as CertHashInfo, and consists of the following sub-fields.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

HashSize

CertHash (20 bytes)

...

...

HashSize (4 bytes): A 4-byte unsigned integer that is set to the size of the hash of the certificate stored in the CertHash field.

CertHash (20 bytes): 20 bytes containing the hash of the certificate belonging to the trusted root certification authority that the client trusts to accept a certificate of the authenticating server.

ServerName (variable): A null-terminated, semicolon-separated list of server names. Each server name consists of either an array of Unicode characters indicating the name of an authenticating server with which the client can authenticate without additional user consent, or a regular expression as specified in [ECMA-262] section 7.8.5.<17>

NumberOfCAs (4 bytes): A 4-byte unsigned integer that is set to the number of trusted root certification authorities being indicated including the preceding one.

TrustedCertHashInfoList (variable): An optional field that is present if and only if NumberOfCAs field is greater than 1. TrustedCertHashInfoList contains a list of (NumberOfCAs-1) TrustedCertHashInfo structures for different trusted root certification authorities. The client trusts either the trusted root certification authority indicated in the preceding TrustedCertHashInfo field or one from the list of TrustedCertHashInfo structures in this field to accept a certificate of the authenticating server.