"The Local Security Authority Cannot Be Contacted" (Error 0x80090304) When You Try to Connect to a Remote Access Server (813550)


The information in this article applies to:

  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows Small Business Server 2003, Premium Edition

SYMPTOMS

When a client tries to connect to a remote access server, the client may receive one or both of the following error messages:
The Local Security Authority cannot be contacted (Error 0x80090304). For customized troubleshooting information for this connection, click Help.

-or-

Error 0x80090022: Providers could not perform the action since the context was acquired as silent.

CAUSE

Case 1: A Server Certificate Uses a Key Size of 464 or Less

When you configure Extensible Authentication Protocol-Transport Level Security (EAP-TLS) on a remote access server, and the server's certificate has a key size of 464-bit or less, the client computer receives the first error message described in the "Symptoms" section of this article when it tries to authenticate with the server.

NoteThe client receives this error message occurs whether the client is configured to validate the server certificate or not.

This issue occurs on both Windows 2000 Service Pack 3 (SP3)-based servers and Window Server 2003-based servers and affects both Windows 2000 SP3 and Windows XP-based clients.

Case 2: EAP Client Tries to Reconnect After it Returns from Standby

When a computer that is configured as an EAP client returns from the standby or the hibernation power management mode, it tries to connect to the server by using the EAP session resume feature. However, Internet Authentication Service (IAS) does not currently support the EAP session resume feature. Therefore, the client receives one or both of the error messages described in the "Symptoms" section of this article when it tries to restore the connection.

Case 3: EAP Client Tries To Reconnect an Active VPN Session

When a client removes a smart card during an active Virtual Private Networking (VPN) session, disconnects, and then tries to reconnect to the server, the client may receive the following error message:
Error 0x80090022: Providers could not perform the action since the context was acquired as silent.
This issue occurs intermittently. This issue may occur if the PIN number is not successfully transferred to the Cryptographic Service Provider (CSP) when the user types it during the reconnection attempt. The remote access server may receive the following event message in the Event log: Date: date
Source: Smart Card
Logon Time: time
Category: None
Type: Error
Event ID: 7
User: N/A
Computer: computername
Description:
An error occurred while signing a message using the inserted smart card: Provider could not perform the action since the context was acquired as silent. For more information, see Help and Support Center at http://support.microsoft.com. Data: 0000: 80090022

Case 4: Internet Security and Acceleration (ISA) Server is Configured to Drop Fragmented Packets

If you configure an ISA Server to permit Point to Point Tunneling Protocol (PPTP)/1723 and Generic Routing Encapsulation (GRE) but to block fragmented packets, the client's smart card-connected VPN session is terminated and the client receives the following error message:
The Local Security Authority cannot be contacted (Error 0x80090304). For customized troubleshooting information for this connection, click Help.

WORKAROUND

To work around this issue, use one of the following methods:

Case 1: A Server Certificate Uses a Key Size of 464 or Less

To work around this issue, configure the server with a certificate whose key length is greater than 464 bits. Microsoft recommends that you use a minimum value of 1024, or for a long-lived key, a length of 2048.

Case 2: EAP Client Tries to Reconnect after Returning from Standby

To work around this issue, try to connect to the server again.

After the first unsuccessful call when the client returns from standby, the next connection attempt works.

Case 3: EAP Client Tries To Reconnect an Active VPN Session

To work around this issue, try to connect to the remote access server again.

Case 4: Internet Security and Acceleration (ISA) Server is Configured to Drop Fragmented Packets

To work around this issue, configure ISA Server to permit incoming fragmented packets. To do so:
  1. Start the ISA Management utility.
  2. Under your server or array, locate, and then right-click IP Packet Filters.
  3. Click Properties, and then click the Packet Filters tab.
  4. Click to clear the Enable filtering of IP fragments check box, and then click OK.
Modification Type:MajorLast Reviewed:9/22/2006
Keywords:kbprb KB813550
©2004 Microsoft Corporation. All rights reserved.