Configure the TLS Handle Expiry Time on Client Computers

Updated: February 29, 2012

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

Use this procedure to change the amount of time that client computers cache the Transport Layer Security (TLS) handle of an NPS server. After successfully authenticating an NPS server, client computers cache TLS connection properties of the NPS server as a TLS handle. The TLS handle has a default duration of 10 hours (36,000,000 milliseconds). You can increase or decrease the TLS handle expiry time by using the following procedure.


This procedure must be performed on an NPS server, not on a client computer.

Administrative credentials

To complete this procedure, you must be a member of the Administrators group.

To configure the TLS handle expiry time on client computers

  1. On an NPS server, open Registry Editor.

  2. Browse to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL

  3. On the Edit menu, click New, and then click Key.

  4. Type ClientCacheTime, and then press ENTER.

  5. Right-click ClientCacheTime, click New, and then click DWORD (32-bit) Value.

  6. Type the amount of time, in milliseconds, that you want client computers to cache the TLS handle of an NPS server after the first successful authentication attempt by the NPS server.