IAS Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In this section
IAS Tools
IAS Settings
IAS Registry Entries
Related Information
You can use Internet Authentication Service (IAS) tools, such as the IAS console and the Netsh commands for IAS, to configure your IAS servers. IAS settings include the use of the Message Authenticator attribute, shared secrets, domain name, and certificate templates. Because the correct configuration of your certificate templates for use with certificate-based authentication methods is critical to the success of your IAS deployment, this document provides step-by-step information about how to configure the Computer template and the IAS and RAS Servers template in Certificate Templates for Windows Server 2003.
IAS Tools
You can use the following tools to configure and manage your IAS servers.
IAS Console
After you install IAS, you can use the IAS console to configure Internet Authentication Service on the local computer. The console is launched through Administrative Tools, and can be used to configure Remote Authentication Dial-In User Service (RADIUS) clients, Remote Access Logging, Remote Access Policies, Connection Request Processing, and other server properties.
The IAS console can also be loaded as a snap-in from the Microsoft Management Console (MMC), allowing you to administer IAS on the local computer and on remote computers that are running IAS.
Netsh Command Reference for AAAA
You can use commands in the Netsh AAAA context to show and set the configuration of the authentication, authorization, accounting, and auditing (AAAA) database used by IAS and the Routing and Remote Access service. The AAAA database is also known as the IAS database (Ias.mdb). The primary use of commands in the Netsh AAAA context is to:
Export the configuration of one IAS server, including registry keys and the IAS database, as a Netsh script using either the dump command or one of the show commands.
Import the configuration to another IAS server using the netsh exec command, and a Netsh script that contains the set config command.
You can run the Netsh commands for AAAA from the Windows Server 2003 command prompt or from the command prompt for the Netsh AAAA context. For these commands to work at the Windows Server 2003 command prompt, you must type netsh aaaa before typing commands and parameters as they appear in the following syntax. There might be functional differences between Netsh context commands on Windows 2000 and Windows Server 2003.
The following table provides the command reference formatting legend, which describes how to interpret the syntax statement for each command.
Command Reference Formatting
| Format | Meaning |
|---|---|
Italic |
Information that the user must supply. |
Bold |
Elements that the user must type exactly as shown. |
Between brackets [()] |
Optional items. |
Between braces ({}); choices separated by pipe (|). Example: {even|odd} |
Set of choices from which the user must choose only one. |
The following is the full command reference for the Netsh commands for AAAA.
dump
Displays the configuration of the IAS database file (Ias.mdb) as a Netsh command script.
Syntax
dump
Remarks
The dump command displays the Netsh command script that you can use to duplicate the configuration of the server running IAS or the Routing and Remote Access service on which the command is executed. The Netsh command script contains the configuration of the IAS server, including the registry keys and database file, in a compressed text format as a large data block. This large data block is used by the set config command within the script to import the configuration of a saved data block into an existing IAS database on the same or another computer using the netsh exec command. To save the Netsh command script to a file, type the following at a command prompt: netsh aaaa show config > Path**\**File.txt.
The dump command is not supported on computers running Windows 2000 Server.
set config
Configures the IAS server and IAS database with the registry keys and database imported from the specified data block.
Syntax
set config [type= {server_settings | clients | connection_request_policies | logging | remote_access_policies ]blob= DataBlock}
Parameters
blob=DataBlock
Required. Specifies the file that contains the configuration of the IAS server, including registry keys and IAS database, in a compressed text format as output by the dump or show commands.
type=
Specifies the kind of data that you want to import from the DataBlock to the local server configuration.
server_settings
Specifies that the server configuration settings are imported from the DataBlock to the local server. The imported settings include Server Description, system event log settings, registry keys, and ports that are used specifically for the IAS service.
clients
Specifies that the settings for RADIUS Clients, as viewed in the IAS console, are imported to the local server from DataBlock.
connection_request_policies
Specifies that the IAS settings for Connection Request Processing, including Connection Request Policies and Remote RADIUS Server Groups, as viewed in the IAS console, are imported to the local server from DataBlock.
logging
Specifies that the IAS settings for Remote Access Logging, as viewed in the IAS console, are imported to the local server from DataBlock.
remote_access_policies
Specifies that the IAS settings for Remote Access Policies, as viewed in the IAS console, are imported to the local server from DataBlock.
Remarks
Running the set config command manually is not supported. This command is used only within a Netsh command script that is created by using the dump or show commands.
To view the version of the IAS database on which the Netsh script is being run, use the show version command. Scripts older than those created with Windows Server 2003 are supported.
The configuration of IAS servers running on products in the Windows 2000 Server family can be imported into products in the Windows Server 2003 family that support IAS with the set config command. The reverse, however, is not possible.
show clients
Displays the RADIUS client list for the local IAS server.
Syntax
show clients
Remarks
This command dumps the RADIUS client list of the IAS server on which the command is run. In the IAS console, this client list is displayed in RADIUS Clients.
The Netsh command script contains the local server settings, including registry keys and the IAS database (Ias.mdb), as a large data block in a compressed text format. To import the configuration into an existing IAS server on either the same or another computer, you can use the netsh exec command. To save the Netsh command script to a file, type **netsh aaaa show clients >**Path\File.txt at a command prompt.
This command is not available on computers running Windows 2000 Server.
show config
Displays the configuration of the IAS database file as a Netsh command script.
Syntax
show config
Remarks
The show config command is equivalent to the dump command.
The show config command displays the Netsh command script that you can use to duplicate the configuration of the server running IAS or the Routing and Remote Access service on which the command is run. The Netsh command script contains the configuration of the IAS server, including registry keys and the IAS database, as a large data block in a compressed text format. To import the configuration into an existing IAS server on either the same or another computer, you can use the netsh exec command. To save the Netsh command script to a file, type **netsh aaaa show config >**Path\File.txt at a command prompt.
This command is not available on computers running Windows 2000 Server.
show connection_request_policies
Displays the Connection Request Processing policies configuration of the IAS server in script format.
Syntax
show connection_request_policies
Remarks
This command displays Connection Request Policies for the IAS server on which the command is run. In the IAS console, these policies are displayed in Connection Request Processing and include Connection Request Policies and Remote RADIUS Server Groups.
The Netsh command script contains the local server settings as a large data block in a compressed text format. To import the configuration into an existing IAS server on either the same or another computer, you can use the netsh exec command. To save the Netsh command script to a file, type **netsh aaaa show connection_request_policies>**Path\File.txt at a command prompt.
This command is not available on computers running Windows 2000 Server.
show logging
Displays the logging configuration for the local IAS server.
Syntax
show logging
Remarks
This command displays the Remote Access Logging configuration for the IAS server on which the command is run. In the IAS console, this information is displayed in Remote Access Logging.
The Netsh command script contains the local server settings as a large data block in a compressed text format. To import the configuration into an existing IAS server on either the same or another computer, you can use the netsh exec command. To save the Netsh command script to a file, type **netsh aaaa show logging >**Path\File.txt at a command prompt.
This command is not available on computers running Windows 2000 Server.
show remote_access_policies
Displays all objects within the remote access policy.
Syntax
show remote_access_policies
Remarks
This command displays the Remote Access Policies for the IAS server on which the command is run. In the IAS console, this information is displayed in Remote Access Policies.
The Netsh command script contains the local server settings as a large data block in a compressed text format. To import the configuration into an existing IAS server on either the same or another computer, you can use the netsh exec command. To save the Netsh command script to a file, type netsh aaaa show remote_access_policies > Path\File.txt at a command prompt.
This command is not available on computers running Windows 2000 Server.
The output of this command is an encoded data block that is either displayed in the command prompt window or saved to a text file at the folder location you specify. The following registry keys and values are contained in the data block:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\ControlProtocols\BuiltIn\DefaultDomain\REG_SZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy\Allow LM Authentication\REG_DWORD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy\Default User Identity\REG_SZ
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy\User Identity Attribute\REG_DWORD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy\Override User-Name\REG_DWORD
show server_settings
Displays the configuration of the local IAS server as a Netsh command script.
Syntax
show server_settings
Remarks
This command displays the configuration of server settings for the IAS server on which the command is run. These settings include: server description; settings for accounting and authorization events in the system event log; ports used by the service; and registry keys and their values. To display server settings in the IAS console, right-click the server and click Properties.
The Netsh command script contains the local server settings as a large data block in a compressed text format. This large data block is used within the script by the netsh exec command to import the configuration of a saved data block into an existing IAS server on the same or another computer. To save the Netsh command script to a file, type netsh aaaa show server_settings > Path\File.txt at a command prompt.
This command is not available on computers running Windows 2000 Server.
The output of this command is an encoded data block that is either displayed in the command prompt window or saved to a text file at the folder location you specify. The following registry keys and values are contained in the data block:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Parameters\Allow SNMP Set\REG_DWORD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\MaxDenials\REG_DWORD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\ResetTime\REG_DWORD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Parameters\Ping User-Name\REG_SZ
show version
Displays the version of the IAS database.
Syntax
show version
Importing or Exporting Configurations
You can export IAS server configuration in part or total by using the Netsh commands for AAAA. For example, you can export the full configuration of an IAS server using the netsh aaaa show config command at the command prompt, or you can export only the remote access policies of the server using the netsh aaaa show remote_acces_policies command. IAS configuration can then be imported by using the netsh exec command.
When importing or exporting configurations, keep the following in mind:
You do not need to stop IAS on the destination computer to run the netsh exec command. When the command is run, IAS is automatically refreshed with the updated configuration settings.
Do not use this procedure if the source IAS database is a higher version number than the version number of the destination IAS database. You can view the version number of the IAS database from the display of the netsh aaaa show config command.
Note
The configuration of IAS servers running on products in the Windows 2000 Server family can be imported into products in the Windows Server 2003 family with netsh AAAA commands. The reverse, however, is not possible. To centrally manage IAS on both Windows 2000 and Windows Server 2003, you can first make configuration changes on IAS servers running Windows 2000, and then import the new server configuration into IAS servers running Windows Server 2003.
IAS configurations are encoded and compressed; however, they are not encrypted in the text file. Because IAS configurations are not encrypted in the text file, sending the text file over a network poses a security risk and is not recommended.
You can copy a remote access configuration from a server running Windows 2000 or Windows Server 2003 and the Routing and Remote Access service to an IAS server. Use the netsh aaaa dump command at the remote access server to create a file that contains the configuration, copy the file to the IAS server, and then use the netsh exec command to import the configuration to the IAS server. Next, configure RADIUS clients on the IAS server.
Software Development Kits
The Microsoft Platform Software Development Kit (SDK) contains the IAS and EAP SDKs, which you can use to extend the functionality of IAS.
IAS Software Development Kit
The IAS SDK can be used to:
Return custom attributes to the access server in addition to those returned by IAS. For example, you can create a customized module to assign IP addresses.
Control the number of user network sessions.
Import usage and audit data directly into an Open Database Connectivity (ODBC)-compliant database.
Create customized authorization modules.
Create customized authentication modules (non-EAP).
EAP Software Development Kit
The Extensible Authentication Protocol (EAP) SDK allows you to create EAP types and implement arbitrary authentication methods using EAP.
Network Monitor
The optional management and monitoring component Network Monitor tool can be used to capture the RADIUS messages being sent and received for detailed analysis.
For more information about setting up and using Network Monitor, see “Monitoring Network Performance” in the Microsoft Windows Server 2003 Resource Kit Server Operations Guide.
To view RADIUS messages, configure Network Monitor with a display filter to display only RADIUS messages by disabling all protocols except the RADIUS protocol.
IAS Settings
The following section provides step-by-step information about how to configure the domain name and certificate templates, as well as how to use shared secrets and other IAS features and settings.
Configuring the Default Domain Name
While processing connection requests, IAS examines the user name portion of the Access-Request message to determine whether a domain name has been specified. If a domain name is specified and IAS is configured to access the user accounts database in the designated domain, IAS proceeds with processing the connection request.
Note
- Some network access servers delete or modify the domain name as specified by the user. As a result, the network access request is authenticated against the default domain, which might not be the domain for the user’s account. To resolve this problem, configure your RADIUS servers to change the user name into the correct format with the accurate domain name.
When the user name does not contain a domain name, IAS supplies one. By default, the IAS-supplied domain name is the domain of which the IAS server is a member.
IAS resolves a user name without a specified domain name in the following sequence:
IAS checks the default domain registry key. If one is specified, IAS authenticates the user against the domain specified in the registry key.
If the IAS server is a member of a domain, IAS authenticates the user against the domain to which it is joined.
If the IAS server is not a member of a domain, IAS authenticates the user against the local Security Accounts Manager (SAM) database.
For information about how to specify the IAS-supplied domain name, see "IAS Registry Entries."
Configuring Certificate Templates
The configuration of certificate templates is not a function performed within the IAS console; however, the correct configuration of your certificate templates is critical to the success of your IAS deployment. The following two sections provide server certificate requirements and client certificate requirements, as well as how to configure your certificate template in the Certificate Templates snap-in.
Note
- You can view the IAS console and the Certificate Templates snap-in within the same Microsoft Management Console (MMC) window. Just create a custom snap-in configuration by adding the snap-ins you want to view to the console window. To reuse your custom view, save the console configuration.
These instructions are based on the following assumptions:
You have designed a public key infrastructure (PKI).
Based on both Certificate Services best practices and your own network and PKI requirements, you have installed Certificate Services in Windows Server 2003.
Note
- If you are running an enterprise certification authority (CA) on a computer running Windows Server 2003, Enterprise Edition, Windows Server 2003, Datacenter Edition, the 64-bit version of Windows Server 2003, Enterprise Edition, or the 64-bit version of Windows Server 2003, Datacenter Edition, it is recommended that you use the RAS and IAS Server certificate template for server certificates and the Workstation Authentication template for client certificates. If you are running an enterprise CA on a computer running Windows Server 2003, Standard Edition, you can use the Computer certificate template for both server and client certificates. However, you must configure the certificate purposes to match the certificate function.
Server certificate requirements
Client computers can be configured to validate server certificates by using the Validate server certificate option.
With Protected EAP Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2), Protected EAP Transport Level Security (PEAP-TLS), or EAP-TLS as the authentication method, the client accepts the server’s authentication attempt when the certificate meets the following requirements:
The Subject name contains a value. If you issue a certificate to your IAS server that has a blank Subject, the certificate is not available to authenticate your IAS server.
To configure the certificate template with a Subject name
Open Certificate Templates.
In the details pane, right-click the certificate template that you want to change, and then click Properties.
Click the Subject Name tab, and then click Build from this Active Directory information.
In Subject name format, select a value other than None.
The computer certificate on the server chains to a trusted root CA and does not fail any of the checks that are performed by CryptoAPI and specified in the remote access policy. When you use the RAS and IAS Servers certificate template, the certificate based on the template passes CryptoAPI checks.
The IAS or VPN server computer certificate is configured with the Server Authentication purpose in Enhanced Key Usage (EKU) extensions. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.
For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
To configure the UPN name in a certificate template
Open Certificate Templates.
In the details pane, right-click the certificate template that you want to change, and then click Properties.
Click the Subject Name tab, and then click Build from this Active Directory information.
In Include this information in alternate subject name, select User principal name (UPN).
For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client’s fully qualified domain name (FQDN), which is also called the DNS name.
To configure this name in the certificate template
Open Certificate Templates.
In the details pane, right-click the certificate template that you want to change, and then click Properties.
Click the Subject Name tab, and then click Build from this Active Directory information.
In Include this information in alternate subject name, select DNS name.
With PEAP-TLS and EAP-TLS, clients display a list of all installed certificates in the Certificates snap-in, with the following exceptions:
Wireless clients do not display registry-based and smart card-logon certificates.
Wireless clients and virtual private network (VPN) clients do not display password-protected certificates.
Certificates that do not contain the Client Authentication purpose in EKU extensions are not displayed.
Note
- You can designate which certificate is used by the IAS or VPN server in the remote access policy profile. When you configure EAP and PEAP authentication methods that require a certificate for server authentication and you do not select a specific certificate in the Smart Card or other Certificate Properties dialog box, the IAS or VPN server automatically selects a certificate from the computer certificate store. If the server obtains a newer certificate, it uses the new certificate. This might cause the IAS or VPN server to use a certificate that is not correctly configured for authentication, causing authentication to fail as a result. To prevent this, always manually select a server certificate when configuring PEAP and EAP authentication methods that require one.
Client certificate requirements
With EAP-TLS or PEAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
The client certificate is issued by an enterprise CA and maps to a user or computer account in Active Directory.
The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy. When you use the Workstation Authentication certificate template, the certificate based on the template passes CryptoAPI checks by default.
The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
To configure the UPN in a certificate template
Open Certificate Templates.
In the details pane, right-click the certificate template that you want to change, and then click Properties.
Click the Subject Name tab, and then click Build from this Active Directory information.
In Include this information in alternate subject name, select User principal name (UPN).
For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client’s fully qualified domain name (FQDN), which is also called the DNS name.
To configure the DNS name in the certificate template
Open Certificate Templates.
In the details pane, right-click the certificate template that you want to change, and then click Properties.
Click the Subject Name tab, and then click Build from this Active Directory information.
In Include this information in alternate subject name, select DNS name.
With PEAP-TLS and EAP-TLS, clients display a list of all installed certificates in the Certificates snap-in, with the following exceptions:
Wireless clients do not display registry-based and smart card-logon certificates.
Wireless clients and VPN clients do not display password-protected certificates.
Certificates that do not contain the Client Authentication purpose in EKU extensions are not displayed.
Using the Message Authenticator Attribute
When you add one or more RADIUS clients in the IAS snap-in, you configure the IP address of one RADIUS client or you configure multiple RADIUS clients using an IP address range. If an incoming RADIUS Access-Request message does not originate from an IP address of a configured RADIUS client, IAS automatically discards the message, providing protection for an IAS server. However, source IP addresses can be spoofed (substituted with other IP addresses) by malicious users.
To provide protection from spoofed Access-Request messages and RADIUS message tampering, each RADIUS message can be additionally protected with the RADIUS Message Authenticator attribute, which is described in RFC 2869, “RADIUS Extensions.”
The RADIUS Message Authenticator attribute is a Message Digest 5 (MD5) hash of the entire RADIUS message. The shared secret configured on the IAS server and the RADIUS client is used as the key. If the RADIUS Message Authenticator attribute is present, it is verified. If the Access-Request message fails verification, the message is discarded by the IAS server. If the RADIUS client settings require the Message Authenticator attribute and it is not present, the RADIUS message is discarded.
With IAS in Windows Server 2003, all EAP and PEAP authentication methods use the Message Authenticator attribute by default.
Enabling Remote Access Account Lockout
You can use remote access account lockout to specify how many times a remote access authentication fails against a valid user account before the user is denied access. Remote access account lockout is especially important for remote access VPN connections over the Internet. An attacker on the Internet can attempt to access an organization intranet by sending credentials (valid user name, guessed password) during the VPN connection authentication process. During a dictionary attack, the attacker sends hundreds or thousands of credentials by using a list of passwords based on common words or phrases.
When remote access account lockout is enabled, a dictionary attack is thwarted after a specified number of failed attempts. As the network administrator, you must decide on two remote access account lockout variables:
The number of failed attempts before future attempts are denied.
After each failed attempt, a failed attempts counter for the user account is incremented. If the user account’s failed attempts counter reaches the configured maximum, future attempts to connect are denied.
A successful authentication resets the failed attempts counter when its value is less than the configured maximum. In other words, the failed attempts counter does not accumulate beyond a successful authentication.
The frequency with which the failed attempts counter is reset.
The failed attempts counter is periodically reset to 0. If an account is locked out after the maximum number of failed attempts, the failed attempts counter is automatically reset to 0 after the reset time.
You enable the remote access account lockout feature by changing settings in the registry on the computer that provides the authentication. If the remote access server is configured for Windows Authentication, modify the registry on the remote access server computer. If the remote access server is configured for RADIUS authentication and IAS is being used, modify the registry on the IAS server.
For more information about how to enable remote access account lockout, see “IAS Registry Entries.”
Using Shared Secrets
A shared secret is a text string that serves as a password between:
A RADIUS client and RADIUS server.
A RADIUS client and a RADIUS proxy.
A RADIUS proxy and a RADIUS server.
For a configuration that uses a RADIUS client, a RADIUS proxy, and a RADIUS server, the shared secret that is used between the RADIUS client and the RADIUS proxy can be different from the shared secret used between the RADIUS proxy and the RADIUS server.
Shared secrets are used to verify that RADIUS messages, with the exception of the Access-Request message, are sent by a RADIUS-enabled device that is configured with the same shared secret. Shared secrets also verify that the RADIUS message has not been modified in transit. The shared secret is also used to encrypt some RADIUS attributes, such as User-Password and Tunnel-Password. To provide verification for Access-Request messages, you can enable use of the RADIUS Message Authenticator attribute for both the RADIUS client configured on the IAS server and the access server.
If you specify RADIUS clients by using an IP address range, all RADIUS clients within the address range must use the same shared secret.
When creating and using a shared secret:
Use the same case-sensitive shared secret on both RADIUS devices.
Use a different shared secret for each RADIUS server-RADIUS client pair.
Generate a random sequence at least 22 characters long.
Use any standard alphanumeric and special characters.
Use a shared secret of up to 128 characters in length. To protect your IAS server and your RADIUS clients from brute force attacks, use long shared secrets (more than 22 characters).
Make the shared secret a random sequence of letters, numbers, and punctuation, as shown in the following table.
Alphanumeric and special characters
Group Examples Letters (uppercase and lowercase)
A, B, C and a, b, c
Numerals
0, 1, 2, 3
Symbols (all characters not defined as letters or numerals)
Exclamation point (!), asterisk (*), colon (:)
Change your shared secret often to protect your IAS server and your RADIUS clients from dictionary attacks.
Be certain that the RADIUS client’s shared secret and the shared secret you type when running the New RADIUS Client Wizard are identical.
The stronger your shared secret, the more secure are the attributes (for example, those used for passwords and encryption keys) that are encrypted with the shared secret. An example of a strong shared secret is 5d#>3fq4bV)J7%a3-zR13sM. Before creating your shared secret, verify that your network access servers support the use of the letters, numerals, and symbols that you have chosen.
Note
- When the Password Authentication Protocol (PAP) is used between an access client and an access server (a RADIUS client), the access server encrypts the PAP password by using the shared secret and sends it in an Access-Request packet. If the access server sends the Access-Request message to a RADIUS proxy, the RADIUS proxy must first decrypt the PAP password with the shared secret that was used between the RADIUS proxy and the access server. Next, it encrypts the PAP password with the shared secret that was used between the RADIUS proxy and the RADIUS server before forwarding the Access-Request message. Because a malicious user or process at a RADIUS proxy can record user names and passwords for PAP connections after they are decrypted but before they are encrypted, the use of PAP is strongly discouraged. In addition, if you are using a password-based authentication method, it is strongly recommended that you use MS-CHAP v2, MS-CHAP, or CHAP with strong passwords to provide password protection from dictionary attacks.
IAS Registry Entries
In Windows Server 2003, IAS supports registry values that provide the following functionality:
Note
- Incorrectly editing the registry can severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
HKEY_LOCAL_MACHINE\SYSTEM\
Eventlogging
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Secure channel (Schannel) is a security support provider (SSP) that supports a set of Internet security protocols, such as Secure Sockets Layer (SSL) and TLS. These protocols provide identity authentication and secure, private communication through encryption. Logging of client certificate validation failures is a secure channel event, and is not enabled on the IAS server by default.
Logging of client certificate validation failures is a secure channel event, and is not enabled on the IAS server by default.
To enable secure channel events
You can enable additional secure channel events by changing the registry key value from 1 (REG_DWORD type, data 0x00000001) to 3 (REG_DWORD type, data 0x00000003).
Note
- The logging of rejected or discarded authentication events is enabled by default.
Ping User-Name
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IAS\Parameters
Ping User-Name can be added to the registry on your IAS servers by a member of the local Administrators group. When you add Ping User-Name to the registry, you must supply values for Name, Type, and Data.
Note
- Ping User-Name is not installed by default. You must add Ping User-Name to the registry. You can add an entry to the registry using Registry Editor.
Values for Ping User-Name
| Name | Type | Data |
|---|---|---|
ping user-name |
REG_SZ |
User name |
To indicate more than one user name for a Ping User-Name value, enter a name pattern, such as a DNS name including wildcard characters, in Data.
Ping User-Name can be added to the registry key as a string value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IAS\Parameters
Note
- When you configure Ping User-Name in the IAS server registry, you must configure NASs and RADIUS proxies to use the same User name, or a User name that matches the name and wildcard characters, that you configured in Data. If the User name value configured for the NASs and RADIUS proxies do not match the value in Data, and IAS is configured for logging, IAS will log the RADIUS traffic, and log files will become cluttered with accounting data from ping requests.
MaxConcurrentApi
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
If the IAS server is on a computer other than a domain controller and it is receiving a very large number of authentication requests per second, you can improve performance by increasing the number of concurrent authentications between the IAS server and the domain controller.
To increase concurrent authentication
Add a new value named MaxConcurrentApi to this registry key and assign to it a value from 2 through 5.
DefaultDomain
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\ControlProtocols\BuiltIn
To specify the IAS-supplied domain
By default, the IAS-supplied domain name is the domain for which the IAS server is a member. You can specify the IAS-supplied domain through the DefaultDomain registry setting.
AccountLockout
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Parameters
To enable remote access account lockout
Set the MaxDenials entry in the registry to 1 or greater. MaxDenials is the maximum number of failed attempts before the account is locked out.
By default, MaxDenials is set to 0, which means that remote access account lockout is disabled.
To modify the amount of time before the failed attempts counter is reset
Set the ResetTime (mins) entry in the registry to the required number of minutes.
By default, ResetTime (mins) is set to 0xb40, or 2,880 minutes (48 hours).
To manually reset a user account that has been locked out before the failed attempts counter is automatically reset
Delete the following registry subkey that corresponds to the user’s account name:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout\domain name:user name
When the lockout count for a user account is reset to 0 due to either a successful authentication or an automatic reset, the registry subkey for the user account is deleted.
Default User Identity
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy
User identity is the means by which IAS identifies the user for the purposes of authentication and authorization. Normally, the user identity is the string value of the User-Name RADIUS attribute. If the User-Name attribute is not present, or is present but equals null, the user identity is set to the Guest account or the account specified by the Default User Identity registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Policy
Enable or Disable LAN Manager Authentication
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy
By default, MS-CHAP for Windows Server 2003 does not support LAN Manager authentication. This is a change from Windows 2000.
Although the use of MS-CHAP or LAN Manager authentication is not recommended for security reasons, you might need to deploy one or both of these authentication methods to support legacy clients. If you deploy MS-CHAP with change password capability enabled in IAS, you must also deploy LAN Manager authentication.
To enable LAN Manager authentication
If you want to enable the use of LAN Manager authentication with MS-CHAP for older Microsoft operating systems such as Windows NT 3.5 and Windows 95, you must set Allow LM Authentication to 1 on the authenticating server.
To disable LAN Manager authentication
LAN Manager authentication is disabled by default. However, if you have previously enabled it and want to disable it again, set Allow LM Authentication to 0.
Override User-Name
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy
To always use the calling number as the user identity, set the Override User-Name registry value to 1 on the authenticating server.
Note
- If you set Override User-Name to 1 and the User Identity Attribute to 31, the authenticating server can perform only Automatic Number Identification/Calling Line Identification (ANI/CLI)-based authentication. Normal authentication by using authentication protocols (such as MS CHAP and EAP) is disabled.
User Identity Attribute
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RemoteAccess\Policy
The RADIUS attribute that IAS uses to identify the user is configurable by setting the User Identity Attribute registry setting.
You can change this key’s value to the number of the RADIUS attribute that is used for the user identity. By default, User Identity Attribute is set to 1, the RADIUS type value for the User-Name RADIUS attribute.
This registry setting tells the authenticating server to use the calling number (RADIUS attribute 31, Calling-Station-ID) as the identity of the calling user. The user identity is set to the calling number only when there is no user name being supplied in the connection attempt.
Related Information
The following resources contain additional information that is relevant to this section.
“Windows Server 2003 Resource Kit Tools” in the Tools and Settings Collection.
RFC 2869 in the IETF RFC Database.