Selecting IPSec Authentication Methods
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Peer authentication is the process of ensuring that an IPSec peer is who it claims to be. By using peer authentication, IPSec can determine whether or not to communicate with another computer before the communication begins. Windows Server 2003 IPSec performs peer authentication, but requires only mutual trust of the identities exchanged. It does not verify that the identity that is received is authorized to use a particular IP address.
Table 6.8 describes the uses of the authentication methods.
Table 6.8 Choosing Authentication Methods
| Security Requirement | Authentication Method | Examples |
|---|---|---|
Communication within a Windows Server 2003 or Windows 2000 domain, or between trusted Windows Server 2003 or Windows 2000 domains. |
Kerberos V5 |
Clients accessing a Human Resources database A Web server in a perimeter network connecting to a computer running SQL Server on an internal network |
Communication outside of your domain or across the Internet where Kerberos V5 is not available but access to a CA is available. |
Public key certificate |
Partner organizations using a Web-based CA to access resources on your private network |
Communication with systems that do not support the Kerberos V5 protocol and do not have access to a CA. |
Preshared key |
Windows 98 or Macintosh clients using third-party IPSec implementations UNIX servers on a Windows network |
Windows Server 2003 IPSec supports three methods of peer authentication so that computers running different operating systems or that exist in different environments can find a common method when negotiating communication with a peer. An IPSec policy rule associates each IP address in a filter with an authentication method list, so that IKE can determine which authentication method list to use with each IP address. During IKE negotiation, the IKE initiator proposes a list of authentication methods to the IKE responder. The responder must use the source IP address of the initiator to identify which filter controls the IKE negotiation. The authentication method list that corresponds to the filter in the responder’s IPSec policy is used to select one authentication method from the initiator’s list. The responder then replies to inform the initiator of the agreed upon authentication method. If the selected authentication method fails, IKE does not provide a method for retrying a different authentication method.