Reset Search
 

 

Article

KB44336 - Authentication fails against Windows NPS (Radius) server with Error "invalid credentials" when the password contains Umlaut character(s).

« Go Back

Information

 
Last Modified Date1/6/2020 11:26 AM
Synopsis
This article describes an issue where Authentication fails against Windows NPS (Radius) server when the password contains Umlaut character.
Problem or Goal
Authentication fails against Windows NPS (Radius) server when the password contains Umlaut character.This issue is applicable to both Pulse client and browser.
 
Cause
The issue occurs as NPS does not support UTF-8 encoding.

NPS does not encode RADIUS password in UTF-8 as expected by RFC2865. NPS is encoding password in Extended ASCII.Refer https://tools.ietf.org/html/rfc2865.

Pulse client supports UTF-8 and meets the RFC standards. NPS server will read the password in the ASCII format. Hence there is a password mismatch and authentication fails. This is expected behavior as the encoding mechanisms are different. 

However, when using a browser, we have an option to choose the Western European encoding format. Authentication works fine through the browser upon choosing Western Encoding format as the encoding formats match.

Working TCP Dump: (Upon choosing Western European (Windows) which is Extended-ASCII encoding in browser )
Password entered by the user: N0cßÜÖÄü2019.

User-added image


From the above screenshot, the password section is given below :

User-Password: N0c\337\334\326\304\3742019 This is encoded in OCT.
The HEX decode of the password is : N0c\DF\DC\D6\C4\FC2019
If we replace value as per the Extended ASCII table the password string is : N0cßÜÖÄü2019. Please check the ASCII table here: https://www.ascii-code.com/
Password matches and authentication is successful.


Non-Working TCP Dump: (Pulse client: By default uses UTF-8 encoding)
Password entered by the user: N0cßÜÖÄü2019

User-added image

From the above screenshot, the password section is given below :

User-Password: N0c\303\237\303\234\303\226\303\204\303\2742019 This is encoded in OCT.
The HEX decode of the password is : N0c\xC3\x9F\xC3\x9C\xC3\x96\xC3\x84\xC3\xBC2019

By doing UTF-8 decoding of N0cßÜÖÄü2019, we'll get N0c%C3%9F%C3%9C%C3%96%C3%84%C3%BC2019. Please check the UTF-8 encoding here: https://www.url-encode-decode.com/.

Password does not match and the authentication fails with the error: Invalid credentials.
 
Solution
Microsoft do not support UTF-8 which is the standard format as expected by RFC2885.
Also, in the client side, it's not possible to accommodate the changes from UTF-8 to Extended-ASCII as it'll break the authentication for the other RADIUS servers complying to RFC 2865 standards.

Workaround : 

# Avoid using any accented characters like ß, Ü, Ö, Ä, ü in the NPS password. Please use the characters present in the table from 0 to 127 https://www.ascii-code.com/
# To reach to Microsoft and raise a design change request to add the support for UTF-8 in the NPS sever.

 
Related Links
Attachment 1 
Created ByNandini Seenachari

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255