Change the Cached TLS Handle Expiry

Updated: February 29, 2012

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

During the initial authentication processes for Extensible Authentication Protocol-Transport Layer Security (EAP-TLS), Protected Extensible Authentication Protocol-Transport Layer Security (PEAP-TLS), and Protected Extensible Authentication Protocol-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), the NPS server caches a portion of the connecting client's TLS connection properties. The client also caches a portion of the NPS server's TLS connection properties.

Each individual collection of these TLS connection properties is called a TLS handle.

Client computers can cache the TLS handles for multiple authenticators, while NPS servers can cache the TLS handles of many client computers.

The cached TLS handles on the client and server allows the reauthentication process to occur more rapidly. For example, when a wireless computer reauthenticates with an NPS server, the NPS server can examine the TLS handle for the wireless client and can quickly determine that the client connection is a reconnect. The NPS server authorizes the connection without performing full authentication.

Correspondingly, the client examines the TLS handle for the NPS server, determines that it is a reconnect, and does not need to perform server authentication.

On computers running Windows Vista and Windows Server 2008, the default TLS handle expiry is 10 hours.

In some circumstances, you might want to increase or decrease the TLS handle expiry time.

For example, you might want to decrease the TLS handle expiry time is in a scenario where a user's certificate is revoked by an administrator and the certificate has expired. In this scenario, the user can still connect to the network if an NPS server has a cached TLS handle that has not expired. Reducing the TLS handle expiry might help prevent such users with revoked certificates from reconnecting.

The best solution to this scenario is to disable the user account in Active Directory, or to remove the user account from the Active Directory group that is granted permission to connect to the network in network policy. The propagation of these changes to all domain controllers might also be delayed, however, due to replication latency.

Use the following tasks to configure the TLS handle expiry:

Community Additions