Export (0) Print
Expand All

Selecting IPSec Authentication Methods

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Peer authentication is the process of ensuring that an IPSec peer is who it claims to be. By using peer authentication, IPSec can determine whether or not to communicate with another computer before the communication begins. Windows Server 2003 IPSec performs peer authentication, but requires only mutual trust of the identities exchanged. It does not verify that the identity that is received is authorized to use a particular IP address.

Table 6.8 describes the uses of the authentication methods.

Table 6.8   Choosing Authentication Methods


Security Requirement Authentication Method Examples

Communication within a Windows Server 2003 or Windows 2000 domain, or between trusted Windows Server 2003 or Windows 2000 domains.

Kerberos V5

Clients accessing a Human Resources database

A Web server in a perimeter network connecting to a computer running SQL Server on an internal network

Communication outside of your domain or across the Internet where Kerberos V5 is not available but access to a CA is available.

Public key certificate

Partner organizations using a Web-based CA to access resources on your private network

Communication with systems that do not support the Kerberos V5 protocol and do not have access to a CA.

Preshared key

Windows 98 or Macintosh clients using third-party IPSec implementations

UNIX servers on a Windows network

Windows Server 2003 IPSec supports three methods of peer authentication so that computers running different operating systems or that exist in different environments can find a common method when negotiating communication with a peer. An IPSec policy rule associates each IP address in a filter with an authentication method list, so that IKE can determine which authentication method list to use with each IP address. During IKE negotiation, the IKE initiator proposes a list of authentication methods to the IKE responder. The responder must use the source IP address of the initiator to identify which filter controls the IKE negotiation. The authentication method list that corresponds to the filter in the responder’s IPSec policy is used to select one authentication method from the initiator’s list. The responder then replies to inform the initiator of the agreed upon authentication method. If the selected authentication method fails, IKE does not provide a method for retrying a different authentication method.

Community Additions

© 2016 Microsoft