Choosing an authentication and authorization scheme

Updated: October 21, 2010

Applies To: Unified Access Gateway

This topic describes the authentication and authorization options that are available to help you develop a deployment strategy for Forefront Unified Access Gateway (UAG) DirectAccess.

By default, the Forefront UAG DirectAccess Configuration Wizard configures Windows Firewall with Advanced Security connection security rules that specify the use of the some types of credentials when negotiating the IPsec security associations for the tunnels to the Forefront UAG DirectAccess server, as follows:

  • The infrastructure tunnel uses Computer certificate credentials for the first authentication, and User (NTLMv2) for the second authentication. User (NTLMv2) credentials are used to force the use of Authenticated Internet Protocol (AuthIP), and because the DirectAccess client needs Domain Name System (DNS) and domain controller access before it can use Kerberos credentials for the intranet tunnel.

  • The intranet tunnel uses Computer certificate credentials for the first authentication and User (Kerberos V5) for the second authentication.

You can also specify additional authentication with specified server access, peer authentication methods for end-to-end access, and the use of smart cards for additional authorization.

The following sections describe the authentication and authorization design considerations to be taken when deploying a Forefront UAG DirectAccess solution.

Additional end-to-end peer authentication for specified server access

If you configure specified server access, the Forefront UAG DirectAccess Configuration Wizard configures Windows Firewall with Advanced Security connection security rules, to use Computer certificate or Computer (Kerberos V5) credentials for the first authentication and User (Kerberos V5) credentials for the second authentication to the selected servers.

Peer authentication for end-to-end access

When you manually configure the Windows Firewall with Advanced Security connection security rules for end-to-end access, you can configure your own methods for the first and second IPsec peer authentication. However, it is recommended that you use Computer certificate or Computer (Kerberos V5) for the first authentication, and User (Kerberos V5) for the second authentication.

Note

If you modify the connection security rules created by the Forefront UAG DirectAccess Configuration Wizard without using the Forefront UAG DirectAccess Configuration Wizard, you must use Network Shell (Netsh) commands. There are connection security rule settings that cannot be modified with the Windows Firewall with Advanced Security snap-in. If you modify these connection security rules with the Windows Firewall with Advanced Security snap-in, they will be overwritten with default values, which can result in incompatible connection security rules that prevent DirectAccess connections.

Smart cards for additional authorization

On the Authentication Options page of the Forefront UAG DirectAccess Configuration Wizard, you can require the use of smart cards for access to the intranet. When this option is selected, the Forefront UAG DirectAccess Configuration Wizard configures the IPsec connection security rule for the intranet tunnel on the DirectAccess server to require tunnel mode authorization with smart cards. Tunnel mode authorization is a feature of Windows Firewall with Advanced Security for Windows 7 and Windows Server 2008 R2, which allows you to specify that only authorized computers or users can establish an inbound tunnel.

To use smart cards with IPsec tunnel mode authorization for the intranet tunnel, you must deploy a PKI with smart cards infrastructure.

Note

  • The infrastructure tunnel does not require smart card authorization. This allows the DirectAccess client machine access to the defined infrastructure servers for authentication without the user smart card authorization requirement.

  • You can consider moving antivirus and Windows Server Update Services (WSUS) servers so that they are accessed in the infrastructure tunnel. This would enable you to update DirectAccess client antivirus settings even if the smart card authorization is unsuccessful.

    You can consider moving antivirus and Windows Server Update Services (WSUS) servers so that they can be accessed through the infrastructure tunnel. This would enable you to update DirectAccess client antivirus settings and Windows updates without the requirement for smart card authorization.

Allowing access for users with unusable smart cards

To allow temporary access for users with smart cards that are unusable, do the following:

  1. Create an Active Directory security group that will contain the user accounts of users who temporarily cannot use their smart cards.

  2. For the Forefront UAG DirectAccess server Group Policy object, configure global IPsec settings for IPsec tunnel authorization, and add the Active Directory security group to the list of authorized users.

To grant access to a user that cannot use their smart card, temporarily add their user account to the Active Directory security group. Remove the user account from the group when the smart card is usable.

Prompts for smart card credentials while on the intranet

Due to the timing between intranet detection and the automatic establishment of tunnels to the Forefront UAG DirectAccess server, it is possible for users of DirectAccess clients using smart cards to be prompted for smart card credentials when they are directly connected to the intranet. This is a prompt that users can ignore without loss of connectivity. The solutions to this issue are as follows:

  • Move the Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) routing function to a separate server, and then add packet filters to this server that block all User Datagram Protocol (UDP) traffic for Internet Key Exchange (IKE) and AuthIP from the Internet Protocol version 6 (IPv6) address prefix of the intranet, to the IPv6 address of the Forefront UAG DirectAccess server’s tunnel endpoint. These filters will drop the tunnel establishment traffic sent by DirectAccess clients while intranet detection is in progress. For an example of moving the ISATAP routing function to another server.

This solution prevents the intranet tunnel negotiation with the Forefront UAG DirectAccess server during intranet detection when the DirectAccess client is on the intranet. By preventing the intranet tunnel negotiation, smart card authorization never occurs, and the user will not be prompted for smart card credentials.

Under the covers smart card authorization

Smart card authorization works by enabling tunnel mode authorization on the intranet tunnel connection security rule of the Forefront UAG DirectAccess server, for a specific Kerberos-based security identifier (SID) in a DirectAccess client’s Kerberos token. For smart card authorization, the authorized user is a well-known SID (S-1-5-65-1) that maps to smart card-based logons. This SID is referred to as “This Organization Certificate” when configured in the global IPsec tunnel mode authorization settings.

When you enable smart card authorization in the Authentication Options page of the Forefront UAG DirectAccess configuration Wizard, the wizard configures the global IPsec tunnel mode authorization setting with this SID for the Forefront UAG DirectAccess server Group Policy object. To view this configuration in the Windows Firewall with Advanced Security snap-in for the Forefront UAG DirectAccess server Group Policy object, do the following:

  1. Right click Windows Firewall with Advanced Security, and then click Properties.

  2. On the IP Settings tab, in IPsec tunnel authorization, click Customize.

  3. Click the Users tab. You should see the “NT AUTHORITY\This Organization Certificate” as an authorized user.