Define IPSec authentication methods

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To define IPSec authentication methods

  1. Create a console containing IP Security Policies. Or, open a saved console file containing IP Security Policies.

  2. Double-click the policy that you want to modify.

  3. Double-click the rule that you want to modify.

  4. On the Authentication Methods tab, click Add. Or, if you are reconfiguring an existing method, click the authentication method, and then click Edit.

  5. Select the authentication method that you want to add or modify:

    • To use the Kerberos V5 security protocol for authentication services, click Active Directory default (Kerberos V5 protocol) if this rule applies to computers that are validated by a Windows 2000 or Windows Server 2003 Active Directory domain or a trusted Active Directory domain.

    • To use a public key certificate for authentication services, click Use a certificate from this certification authority (CA), and then click Browse to select a root CA.

    • To prevent the name of the CA from being sent with the certificate request, select the Exclude the CA name from the certificate request check box.

    • To enable certificate to account mapping, select the Enable certificate to account mapping check box.

    • To specify your own key that will be used for authentication, click Use this string (preshared key).

  6. To delete an authentication method or change its preference order, do one of the following:

    • To delete the selected method, click Remove.

    • To move the selected method up one level, click Move up. Repeat until the method is at the required preference level.

    • To move the selected method down one level, click Move down. Repeat until the method is at the required preference level.

Important

  • The use of preshared key authentication is not recommended because it is a relatively weak authentication method. Preshared key authentication creates a master key that is less secure (that might produce a weaker form of encryption) than certificates or the Kerberos V5 protocol. In addition, preshared keys are stored in plaintext. Preshared key authentication is provided for interoperability purposes and to adhere to IPSec standards. It is recommended that you use preshared keys only for testing and that you use certificates or Kerberos V5 instead in a production environment.

Notes

  • To manage Active Directory-based IPSec policies, you must be a member of the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. To manage local or remote IPSec policies for a computer, you must be a member of the Administrators group on the local or remote computer. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. For more information, see Default local groups and Default groups.

  • To create a console containing IP Security Policies, start the IP Security Policies snap-in. To open a saved console file, open MMC. For more information, see Related Topics.

  • The Kerberos V5 protocol authentication method is not supported on computers running Windows XP Home Edition.

  • If you choose to use a certificate for authentication, you must select a CA (most commonly the root CA for your installed computer certificate). You cannot leave this field blank.

  • For preshared key authentication, each IPSec peer must use the same preshared key, or authentication will fail.

  • If filters in more than one rule apply to traffic between the same two IP addresses, then the authentication methods list should be identical in both rules. Otherwise, security requests that are initiated by one rule might match the filter of the other rule, but have a different authentication method. In this case, the negotiation will fail. After a rule has initiated a successful main mode security association between two IP addresses, other rules that are filtering different traffic will not renegotiate the authentication and master key (the main mode security association). Instead, these other rules will use the same main mode security association to negotiate security (algorithms and session keys) for traffic that matches their particular filter.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Start the IP Security Policy Management snap-in
Open MMC
Add, edit, or remove IPSec policies
Authentication methods
Working with MMC console files