Authentication Settings
Applies To: Windows Server 2008
Authentication settings
Windows Firewall with Advanced Security integrates Windows Firewall features and Internet Protocol security (IPsec) security into one console. These settings allow you to configure the authentication in ways required by your environment. You can configure advanced authentication to apply as the default for all connection security rules or on a rule-by-rule basis.
If you configure these advanced authentication settings by using the IPsec tab of the Firewall Properties dialog box, they apply when you create connection security rules that have Default selected as the authentication method.
If you configure these advanced authentication settings by using the Authentication tab of the Connection Security Properties dialog box, the settings will apply only to the connection security rule whose properties you are editing.
Warning
It is not recommended that you configure both the First Authentication and Second Authentication to be optional. This is equivalent to turning authentication off.
First Authentication
The First Authentication method is performed during the Main Mode phase of IPsec negotiations. In this authentication, you can specify how the peer computer authenticates using the Kerberos version 5 authentication protocol, computer NTLM, computer certificates, or a preshared key. To use the Kerberos version 5 authentication protocol, both computers must belong to an Active Directory domain. If they are in separate domains, the domains must have a trust relationship between them. To use certificates, you must have a certification authority (CA).
You can specify multiple methods to use for this authentication. The methods are attempted in the order you specify; the first successful method is used.
First Authentication is optional
You can select this option to have the First Authentication performed with anonymous credentials. This is useful when the Second Authentication provides the primary, required means of authentication, and the First Authentication is to be performed only when both peers support it. For example, if you want to require User (Kerberos V5) authentication, which is only available as a Second Authentication, you can select First authentication is optional and select User (Kerberos V5) as the Second Authentication.
Second Authentication
With Second Authentication, you can specify how the user logged on to the peer computer authenticates, using the Kerberos version 5 authentication protocol, user certificates, or a computer health certificate. To use the Kerberos version 5 authentication protocol, both computers must belong to an Active Directory domain. If they are in separate domains, the domains must have a trust relationship between them. To use certificates, you must have a CA in your domain.
You can specify multiple methods to use for this authentication. You must use either all user-based authentication methods or all computer-based authentication methods. You cannot use the Second Authentication if you are using a preshared key for the First Authentication method regardless of where it appears on the list. The methods are attempted in the order you specify; the first successful method is used.
Second Authentication is optional
You can select this option to have the Second Authentication performed only opportunistically. This is useful when the First Authentication provides the primary, required means of authentication, and the Second Authentication is to be performed opportunistically when both peers support it. For example, if you want to require Computer (Kerberos V5) authentication and you'd like to opportunistically use User (Kerberos V5) authentication, you can select Computer (Kerberos V5) as the First Authentication, and select User (Kerberos V5) as the Second Authentication with Second authentication is optional selected.