Appendix F - IAS Registry Settings

On This Page

DefaultDomain
Allow LM Authentication
Default User Identity
Override User-Name
User Identity Attribute
Allow SNMP Set
Ping User-Name

DefaultDomain

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan \PPP\ControlProtocols\BuiltIn

Data type: REG_SZ

Range: n/a

Default value: The computer name or member domain of the IAS server.

Description: Specifies the domain used to validate a logon when no domain is specified in the Access-Request message. This entry applies to networked computers running Windows 2000 Server only. By default, the system uses the name of the primary domain of the local computer. However, you can add this entry to the registry to override the default value and force the system to use the specified domain.

Allow LM Authentication

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \RemoteAccess\Policy

Data type: REG_DWORD

Range: 0-1

Default: 1

Present by default: No

Description: Determines whether LAN Manager (LM) Challenge/Response authentication is enabled (=1) or disabled (=0). IAS and the Routing and Remote Access service typically use Windows Challenge/Response authentication, version 2 (known as NTLMv2) because it provides more robust password protection. However, LAN Manager authentication support is available to maintain compatibility with servers running earlier operating systems that do not support NTLMv2 authentication.

When enabled, LAN Manager authentication is supported. The PPP clients of earlier Microsoft operating systems such as Windows NT 3.5, Windows 95, or Windows 98 will be able to connect. However, use of LAN Manager authentication makes authentication more vulnerable to malicious attacks that take advantage of the weaker protocol.

When disabled, LAN Manager authentication is not supported. As a result, the PPP clients of earlier Microsoft operating systems, such as Windows NT 3.5, Windows 95, and Windows 98, will not be able to connect.

Default User Identity

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \RemoteAccess\Policy

Data type: REG_SZ

Range: NA

Default value: The name of the guest account for the domain

Present by default: No

Description: Specifies the name used for Guest access to the network. By default, if a request for Guest access does not include the name of a user account, then the system uses the Guest account for the local computer or for the domain. However, you can add this entry to the registry to specify an alternate Guest account.

The account specified in this entry is used for Guest accounts instead of the default when:

  • The value of Override User-Name is 0.

  • User Identity Attribute does not appear in the registry.

  • The RADIUS attribute specified in the value of User Identity Attribute does not appear in the request.

Override User-Name

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \RemoteAccess\Policy

Data type: REG_DWORD

Range: 0-1

Default value: 0

Present by default: No

Description: Directs IAS to use the RADIUS attribute specified in the value of the User Identity Attribute registry setting to identify an account for purposes of authentication and accounting. The specified attribute is used instead of the user account name, even when a valid user account name appears in the request.

When Override User Name is set to 0, IAS uses the value of the RADIUS User-Name attribute for authentication and accounting. When Override User Name is set to 1, IAS uses the attribute specified in the value of User Identity Attribute.

RADIUS attributes are defined in RFC 2138. To find a list of RADIUS attributes, see RFC 2138, or see Remote Access RADIUS Attributes in Windows 2000 Server Help.

Caution: If the value of this entry is 1, and User Identity Attribute does not appear in the registry with a valid value, IAS does not authenticate any users.

User Identity Attribute

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \RemoteAccess\Policy

Data type: REG_DWORD

Range: 0-255

Default value: 1

Present by default: No

Description: Specifies an alternate RADIUS attribute by a number that is used to identify a user account in Active Directory for authentication and authorization. By default, the value of the alternate attribute specified here is used only when the access request does not include a user name (that is, when the request does not include a valid RADIUS User-Name attribute).

However, if the value of Override User-Name is 1, IAS must use the attribute specified in the value of this entry to identify the account, even when the request includes a valid User-Name attribute.

To specify an attribute, enter the RADIUS attribute number for the attribute in decimal integers. For example, to identify users by their caller ID or Automatic Number Identification (ANI), add this entry to the registry and set its value to 31, the RADIUS attribute number for Calling-Station-ID.

Note: If the attribute specified in this entry is not included in the request, IAS uses the value of the RADIUS User-Name attribute. If it is not present or valid, IAS uses the account specified in the value of Default User Identity, if available. Otherwise, the system uses the Guest account for the local computer or the domain.

RADIUS attributes are defined in RFC 2138. To find a list of RADIUS attributes, see RFC 2138, or see Remote Access RADIUS Attributes in Windows 2000 Server Help.

Allow SNMP Set

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \IAS\Parameters

Data type: REG_DWORD

Range: 0-1

Default value: 0

Present by default: No

Description: Determines whether IAS accepts (=1) or rejects (=0) incoming Simple Network Management Protocol (SNMP) Set messages. This entry applies only when SNMP is being used to monitor IAS.

Set messages change or update values in an SNMP MIB. IAS accepts these messages only when an agent has permission to write to the MIB.

Set messages are prohibited by default, but you can add this entry to the registry to permit the IAS to accept Set messages.

Ping User-Name

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \IAS\Parameters

Data type: REG_SZ

Range: n/a

Default value: n/a

Present by default: No

Description: Specifies a user name (or user-name pattern with variables) that the Internet Authentication Service (IAS) recognizes as a fictitious name. As a result, IAS rejects authentication requests and responds to all accounting requests from this user. Additionally, IAS does not record transactions involving this user in any log files.

Proxy servers implementing the RADIUS protocol and NASs periodically send authentication and accounting requests (ping requests) to verify that the server is responsive. These ping requests include fictional user names.

This entry helps IAS recognize the fictitious name or naming scheme used in ping requests. This method is likely to improve IAS performance and make the event log easier to interpret.

To indicate more than one user name, enter a name pattern, such as a DNS name including wildcard characters. For help with patterns, see Appendix D.