This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 67%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
I am building an app to automatically configure Windows devices to use wireless networks that use EAP-TLS authentication. I am trying to use the Windows Native Wifi call WlanSetProfileEapXmlUserData with eaptlsuserpropertiesv1 EAPHostUserCredentials schema to select specific certificates for each profile. When I call WlanSetProfileEapXmlUserData with the XML below, the call return indicates success. However, when I try to connect to the wireless network, it fails with the error message Can't connect because you need a certificate to sign in. Contact your IT support person. But I know the wireless profile itself is correct (see the XML below the EAPHostUserCredentials XML) and the certificates are correct for EAP-TLS because I can connect without calling WlanSetProfileEapXmlUserData ... I just have to manually select which certificate to use for the profile, it is not automatic.
How do I use WlanSetProfileEapXmlUserData with eaptlsuserpropertiesv1 schema to programmatically set which client certificate to use with a wireless network profile?
EAPHostUserCredentials XML:
<?xml version="1.0" encoding="UTF-16"?> <EapHostUserCredentials xmlns="http://www.microsoft.com/provisioning/EapHostUserCredentials"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </EapMethod> <Credentials> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapUserPropertiesV1"> <Type>13</Type> <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsUserPropertiesV1"> <UserCert>ec 2d f6 33 96 a7 f8 04 b8 e1 72 ea bd b5 10 4f 33 4f 0e eb </UserCert> </EapType> </Eap> </Credentials> </EapHostUserCredentials>
Wireless profile XML:
<?xml version="1.0" encoding="UTF-16"?><w:WLANProfile xmlns:w="http://www.microsoft.com/networking/WLAN/profile/v1"> <w:name>Primary</w:name> <w:SSIDConfig> <w:SSID> <w:name>Primary</w:name> </w:SSID> </w:SSIDConfig> <w:connectionType>ESS</w:connectionType> <w:connectionMode>auto</w:connectionMode> <w:autoSwitch>false</w:autoSwitch> <w:MSM> <w:security> <w:authEncryption> <w:authentication>WPA2</w:authentication> <w:encryption>AES</w:encryption> <w:useOneX>true</w:useOneX> </w:authEncryption> <w:preAuthMode>disabled</w:preAuthMode> <o:OneX xmlns:o="http://www.microsoft.com/networking/OneX/v1"> <o:cacheUserData>true</o:cacheUserData> <o:authMode>machineOrUser</o:authMode> <o:EAPConfig> <hc:EapHostConfig xmlns:hc="http://www.microsoft.com/provisioning/EapHostConfig"> <hc:EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">13</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </hc:EapMethod> <hc:Config> <be:Eap xmlns:be="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <be:Type>13</be:Type> <etls:EapType xmlns:etls="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"> <etls:CredentialsSource> <etls:CertificateStore> <etls:SimpleCertSelection>true</etls:SimpleCertSelection> </etls:CertificateStore> </etls:CredentialsSource> <etls:ServerValidation> <etls:DisableUserPromptForServerValidation>true</etls:DisableUserPromptForServerValidation> <etls:ServerNames>radius.meraki.com;www.radius.meraki.com</etls:ServerNames> <etls:TrustedRootCA>2b 8f 1b 57 33 0d bb a2 d0 7a 6c 51 f7 0e e9 0d da b9 ad 8e </etls:TrustedRootCA> </etls:ServerValidation> <etls:DifferentUsername>false</etls:DifferentUsername> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">true</AcceptServerName> <etls2:TLSExtensions xmlns:etls2="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"> <etls3:FilteringInfo xmlns:etls3="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"> <etls3:CAHashList Enabled="true"> <etls3:IssuerHash>6c c8 ed 07 72 4b 4d 05 8c 88 58 9b be 94 e2 1f 43 be 56 58 </etls3:IssuerHash> </etls3:CAHashList> </etls3:FilteringInfo> </etls2:TLSExtensions> </etls:EapType> </be:Eap> </hc:Config> </hc:EapHostConfig> </o:EAPConfig> </o:OneX> </w:security> </w:MSM> </w:WLANProfile>
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 78%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFX%3C/text%3E%3C/svg%3E)
anonymous user , I am looking into this issue, any update will post here.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 34%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXY%3C/text%3E%3C/svg%3E)
Perhaps the EAPHostUserCredentials XML has some problem. There is a EAP-TLS User Properties sample, as strEapXmlUserData says.
But the EAPHostUserCredentials XML I provided was based on the sample in eap-tls-user-properties. The sample in that link does not even work. When I try using that sample directly, WlanSetProfileEapXmlUserData returns with the value 0x80420019 corresponding to EAP_E_EAPHOST_XML_MALFORMED in EapHostError.h. So the sample you provided doesn't even work without modification. I had to revise the XML namespaces from that example to even get WlanSetProfileEapXmlUserData to accept the XML.
If you don't know how to properly use eap-tls-user-properties schema with WlanSetProfileEapXmlUserData, is there someone else at Microsoft who does?
It‘s normal to make change on EAP-TLS User Properties sample in order to use successfully. And There is a Native Wifi API Sample which could be helpful.
After researching, we found that the WlanSetProfileEapXmlUserData() takes parameter strEapXmlUserData as XML data based on the EAPHost User Credentials schema. However, it doesn't accept the EAP-TLS connection properties like CertificateStore and TrustedRootCA elements which are described in eaptlsconnectionpropertiesv1 schema. In order to set the Wlan profile with all of these elements, It‘s needed to call WlanSetProfile API which takes parameter strProfileXml with a whole XML representation of the profile.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 51%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Can you give an example for the correct strEapXmlUserData xml profile? As I'm hitting the same issue. I'm able to set and connect to EAP-TLS based ssid which I'm setting programmatically. But when using the WlanSetProfileEapXmlUserData or WlanSetProfileEapUserData for the same profile it's always giving me ERROR_NOT_SUPPORTED.