Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Server

Windows Server 2003 : Configuring Remote Access Connections (part 2) - Configuring Remote Access Authentication

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
3/21/2011 6:04:31 PM

Configuring Remote Access Authentication

After the dial-up client calls the remote access server and the necessary IP addresses are assigned, the credentials submitted with the connection must be authenticated. Authentication is the process of validating—through verification of a password or of alternative credentials such as a certificate or smart card—that the user is in fact the person he or she claims to be. Remote access authentication precedes domain logon authentication; if a dial-up user is attempting to log on to a domain remotely, the dial-up connection must be authenticated, authorized, and established before normal domain logon occurs.

Note

Whereas authentication refers to the process of validating user credentials, authorization refers to the process of allowing users access to resources. After remote access authentication occurs, the remote access connection is authorized only if the proper permissions are configured both on the dial-up properties of the user account and in the remote access policy that applies to the connection.


To log on to a domain through a dial-up connection, select the Log On Using Dial-Up Connection check box in the Log On To Windows dialog box. Then, after you type in your user name and password and click OK, a Network Connections dialog box appears. In the Choose A Network Connection drop-down list box, select the network connection you have configured for dial-up remote access, and then click Connect. The dial-up connection is then attempted; remote access authentication and authorization follow. Typically, the user name, domain, and password configured for the connection match those you submit for domain logon, but these two sets of credentials are configured and authenticated separately.

If the credentials of the dial-up connection are successfully authenticated, and if the remote access connection is authorized, a remote access connection is established. Normal domain logon follows; the credentials you enter in the Log On To Windows dialog box are submitted to a domain controller for domain authentication.

Note

If a user is dialing in to a stand-alone remote access server that is not a member of a domain, the user must first log on to his or her local computer or local domain before attempting to connect to the remote server. In this case, the remote computer’s verification of the credentials sent with the dial-up connection is the only authentication that needs to occur before the connection is authorized and established. These credentials must be stored in the answering server’s local Security Accounts Manager (SAM) before the user connects.


Performing Authentication Through RADIUS

You can configure remote access authentication to be performed through Windows authentication or through a Remote Authentication Dial-In User Service (RADIUS) server. Through Windows authentication, when the remote user attempts to dial up to a workgroup computer, the NAS authenticates the connection by verifying the user name and password in the server’s own local security database. When the remote user attempts to dial in to a domain, the NAS forwards the authentication request to the domain controller. However, when you configure a RADIUS server to authenticate remote access connections, the NAS passes both the authentication and authorization responsibility to a central server running IAS.

You choose this authentication method in one of two places: on the Managing Multiple Remote Access Servers page of the Routing And Remote Access Server Setup Wizard, as shown in Figure 5, or on the Security tab of the server properties dialog box in the Routing And Remote Access console, as shown in Figure 6. Note that in the wizard, if you want to use Windows authentication instead of a RADIUS server, you should select the option No, Use Routing And Remote Access To Authenticate Connection Requests.

Figure 5. Choosing a remote access authentication method


Figure 6. Choosing a remote access authentication method


Choosing Authentication Protocols

To authenticate the credentials submitted by the dial-up connection, the remote access server must first negotiate a common authentication protocol with the remote access client. Most authentication protocols offer some measure of security so that user credentials cannot be intercepted, and authentication protocols in Windows clients and servers are assigned a priority based on this security level.

The authentication protocol chosen for a remote access connection is always the most secure of those enabled in the client connection properties, the remote access server properties, and the remote access policy applied to the connection. For all remote access clients and servers running either Microsoft Windows 2000, Microsoft Windows XP, or the Microsoft Windows Server 2003 family, by default, that protocol is Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).

The following is a complete list of the authentication protocols supported by Routing And Remote Access in Windows Server 2003 (listed in order from most secure to least secure):

  • Extensible Authentication Protocol-Transport Level Security (EAP-TLS) A certificate-based authentication based on EAP, an extensible framework that supports new authentication methods. Typically used in conjunction with smart cards. Supports encryption of both authentication data and connection data. Note that EAP-TLS is not supported on stand-alone servers; the remote access server running Windows Server 2003 must be a member of a domain.

  • MS-CHAP v2 A mutual authentication method offering encryption of both authentication data and connection data. New cryptographic key is used for each connection and each direction of transmission. Enabled by default in Windows 2000, Windows XP, and Windows Server 2003.

  • MS-CHAP v1 A one-way authentication method offering encryption of both authentication data and connection data. Same cryptographic key is used in all connections. Supports older Windows clients such as Microsoft Windows 95 and Microsoft Windows 98. (See Table 10-2 for a complete list of operating system compatibility.)

  • Extensible Authentication Protocol-Message Digest 5 Challenge Handshake Authentication Protocol (EAP-MD5 CHAP) A version of CHAP (see next bullet) ported to the EAP framework. Supports encryption of authentication data through the industry-standard MD5 hashing scheme. Provides compatibility with non-Microsoft clients, such as those running Mac OSX. Does not support encryption of connection data.

  • Challenge Handshake Authentication Protocol (CHAP) A generic authentication method offering encryption of authentication data through the MD5 hashing scheme. Provides compatibility with non-Microsoft clients. The group policy applied to accounts using this authentication method must be configured to store passwords using reversible encryption. (Passwords must be reset after this new policy is applied.) Does not support encryption of connection data.

  • Shiva Password Authentication Protocol (SPAP) A weakly encrypted authentication protocol offering interoperability with Shiva remote networking products. Does not support encryption of connection data.

  • Password Authentication Protocol (PAP) A generic authentication method that does not encrypt authentication data. User credentials are sent over the network in plaintext. Does not support encryption of connection data.

  • Unauthenticated access Not an authentication protocol but a configuration option which—when set on the network access server and remote access policy applied to the connection—allows remote access connections to connect without submitting credentials. Can be used to troubleshoot or test remote access connectivity. Does not support encryption of connection data.

Table 1 provides information to help you map your requirements to the appropriate protocol.

Table 1. Authentication Protocol Features
RequirementSelect
Encrypted authentication support for Windows 95, Windows 98, Microsoft Windows Millennium Edition (Me), or Microsoft Windows NT 4 remote access clients (native support)MS-CHAP v1
Encrypted authentication support for Windows 95, Windows 98, Windows Me, or Windows NT 4 remote access clients (with the latest Dial-Up Networking upgrade)MS-CHAP v2 (VPN only for Windows 95)
Encrypted authentication support for certificate-based Public Key Infrastructure (PKI), such as those used with smart cards (when the remote access server is a member of a Windows 2000 Server or Windows Server 2003 domain)EAP-TLS
Encrypted authentication support for other Windows 2000, Windows XP, and Windows Server 2003 remote access clientsMS-CHAP v2
Mutual authentication (client and server always authenticate each other)EAP-TLS, MS-CHAP v2
Support for encryption of connection dataMS-CHAP v1, MS-CHAP v2, EAP-TLS
Encrypted authentication support for remote access clients that use other operating systemsCHAP, EAP-MD5 CHAP
Encrypted authentication support for remote access clients running Shiva LAN Rover softwareSPAP
Unencrypted authentication when the remote access clients support no other protocolPAP
Authentication credentials not supplied by the remote access clientUnauthenticated access


Authentication Protocols: Operating System Support

Table 2 summarizes the authentication protocols supported in various versions of Windows.

Table 2. Authentication Protocol Support
Dial-Up Networking ClientSupported Authentication ProtocolUnsupported Authentication Protocol
Windows Server 2003, Windows XP, Windows 2000MS-CHAP, CHAP, SPAP, PAP, MS-CHAP v2, and EAP
Windows NT version 4MS-CHAP, CHAP, SPAP, PAP, and MS-CHAP v2 (with Windows NT 4.0 Service Pack 4 and later)EAP
Windows NT version 3.5 and version 3.51MS-CHAP, CHAP, SPAP, and PAPMS-CHAP v2, and EAP
Windows Me, Windows 98MS-CHAP, CHAP, SPAP, PAP, and MS-CHAP v2 (with Windows 98 Service Pack 1 and later)EAP
Windows 95MS-CHAP, CHAP, SPAP, and PAP (with the Windows Dial-Up Networking 1.3 Performance & Security Upgrade for Windows 95 and later)MS-CHAP v2 and EAP


Configuring Authentication Protocols: Client Side

To view or modify the authentication protocols enabled for a dial-up connection on the remote access client, open the properties dialog box of the dial-up connection on the client, and click the Security tab.

Figure 7 shows the default settings on the Security tab: the Typical (Recommended Settings) option is selected, and the Allow Unsecured Password setting is selected. If you click the Advanced (Custom Settings) option and then click the Settings button, the Advanced Security Settings dialog box opens. This dialog box, also shown in Figure 7, reveals the specific authentication protocols enabled by the current setting. Notice that the unencrypted authentication protocol PAP is enabled. The authentication protocol SPAP is also enabled. Although it encrypts authentication data, SPAP is not considered secure because it always sends each password over the network in the same reversibly encrypted form. Thus, the protocol is susceptible to replay attacks.

Figure 7. Default authentication protocols enabled on the dial-up client

When you select the Require Secured Password setting on the Security tab, as shown in Figure 8, the Advanced Security Settings dialog box reveals a different set of enabled authentication protocols. Specifically, only CHAP, MS-CHAP v1, and MS-CHAP v2 are enabled. The less secure PAP and SPAP are no longer available.

Figure 8. Requiring secured passwords on the remote access client

When you select the Require Data Encryption (Disconnect If None) check box, as shown in Figure 9, the list of enabled authentication protocols is further restricted. Specifically, only MS-CHAP v1 and MS-CHAP v2 are enabled, and CHAP is no longer available. For all authentication protocols except PAP, authentication data (user name and password) is encrypted. However, the MS-CHAP protocols also support encryption of PPP connection data through Microsoft Point-to-Point Encryption (MPPE). For the connection data to be successfully encrypted, the remote access policy applied to the connection must require data encryption. (Remote access policies do require data encryption by default.)

Figure 9. Requiring data encryption on the remote access client

Note

The EAP-TLS authentication protocol also allows for encryption of PPP connection data. However, this protocol requires configuration and is not automatically enabled by the Require Data Encryption (Disconnect If None) setting on the Security tab of the connection.


Finally, when you select the Use Smart Card setting, as shown in Figure 10, only the EAP-TLS authentication protocol is enabled. On the client, the EAP-TLS protocol is designated by the Smart Card Or Other Certificate (Encryption Enabled) selection under the Use Extensible Authentication Protocol (EAP) option.

Figure 10. Requiring smart card authentication on the remote access client

Configuring Authentication Protocols: Server Side

To view or modify the authentication protocols enabled on the remote access server, right-click the server icon in the Routing And Remote Access console and then click Properties. In the server properties dialog box, select the Security tab. On the Security tab, click the Authentication Methods button to open the Authentication Methods dialog box, shown with its default settings in Figure 11.

Figure 11. Authentication protocols in Routing And Remote Access


Finally, to view or modify the authentication protocols allowed by a remote access policy, select the Remote Access Policies node in the Routing And Remote Access console, double-click the appropriate policy, and then click the Edit Profile button in the policy properties dialog box. In the Edit Dial-In Profile dialog box, select the Authentication tab. Figure 12 shows the default settings of this tab. Note that by default, no EAP methods are enabled.

Figure 12. Authentication protocols in a remote access policy


To configure authentication settings in a remote access policy, complete the following steps:

1.
Perform one of the following tasks:

  • Open the Routing And Remote Access console and, if necessary, double-click Routing And Remote Access and the server name.

  • Open the Internet Authentication Service console and, if necessary, double-click Internet Authentication Service.

2.
In the console tree, click Remote Access Policies.

3.
In the details pane, double-click the policy that you want to configure.

4.
Click Edit Profile.

5.
On the Authentication tab, specify any required settings.

6.
Click OK.
Other -----------------
- Windows Server 2008 R2 : Remote Desktop Services - Why Implement Remote Desktop Services
- Windows Server 2008 R2 : Server-to-Client Remote Access and DirectAccess - Connection Manager
- Manage the Active Directory Domain Services Schema : Activate Attributes
- Manage the Active Directory Domain Services Schema : Deactivate Attributes
- Manage the Active Directory Domain Services Schema : Create Attributes
- Implementing Edge Services for an Exchange 2010 Environment : Using Content Filtering to Isolate Inappropriate Content
- Implementing Edge Services for an Exchange 2010 Environment : Utilizing SenderID on an Edge Transport Server
- Implementing Edge Services for an Exchange 2010 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 2)
- Implementing Edge Services for an Exchange 2010 Environment : Utilizing the Basic Sender and Recipient Connection Filters (part 1)
- Exchange Server 2010 : Installing and Configuring the Edge Transport Server Components
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
programming4us
Natural Miscarriage
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Game Trailer