NPS Architecture
Applies To: Windows Server 2008, Windows Server 2008 R2
The following illustration depicts NPS architecture, including the components upon which NPS has external dependencies.
.gif)
Network Policy Server components
The following sections provide additional information about the components in the NPS architecture.
| Component | Description |
|---|---|
Network access servers |
RADIUS-compliant network access servers, such as VPN servers, 802.1X wireless access points and authenticating switches, and dial-up servers that send connection requests to the NPS server using the RADIUS protocol. Network access servers are also called RADIUS clients. |
Remote Authentication Dial-In User Service (RADIUS) protocol |
An industry standard protocol described in Request for Comments (RFC) 2865, "Remote Authentication Dial-in User Service (RADIUS)," and RFC 2866, "RADIUS Accounting." RADIUS is used to provide network authentication, authorization, accounting, and auditing services for network administrators that deploy local or remote access to their networks. |
RADIUS messages |
Access-Request and other RADIUS messages that are sent between network access servers and the NPS server using the RADIUS protocol. |
Local Microsoft components |
When additional components, such as RRAS, TS Gateway, DHCP, and HCAP are installed on the local NPS server, the components use IAS Helper (Iashlpr.dll) to exchange information with NPS. If these components are not installed on the local computer but are installed on remote computers, IAS Helper is not used; instead, the RADIUS protocol is used to exchange information with the local NPS server. |
NPS server |
A computer running Windows Server 2008 and Network Policy Server that accepts connection requests from configured RADIUS clients and either processes or forwards the requests, depending on how NPS is configured. In addition, NPS can make determinations about client health through configured health policies if Network Access Protection (NAP) is deployed. |
NPS service |
A service that runs within Svchost.exe and can be configured by using the Services MMC snap-in. By default, the service runs automatically at system startup after you install NPS. |
NPS policy engine |
The NPS policy engine processes connection requests when NPS is configured as a RADIUS proxy, RADIUS server, and NAP policy server. Depending on the NPS configuration, NPS can forward a connection request, perform authentication and authorization for a connection request against the AD DS user accounts database or SAM database, or verify the client computer configuration of a NAP-capable client. For detailed information on how NPS processes connection requests based upon the NPS configuration, see Access-Request Message Processing. |
SDO Layer - Read Only |
The NPS service loads its own copy of the Server Data Objects (SDO) dynamic link libraries (DLLs); the NPS service reads information from the SDO layer, but does not write information to the SDO layer. |
NPS MMC snap-in/console |
You can use the NPS console or the NPS MMC snap-in to configure NPS using the Windows interface. For more information, see Components of NPS. |
SDO Layer - Read-Write |
The NPS MMC console/snap-in loads its own copy of the SDO DLLs, and both reads information from and writes information to the SDO Layer. The SDO API makes it possible to programmatically configure and administer a computer running Windows Server 2008 and NPS. For more information, see Server Data Objects. |
Netsh NPS |
A context of the Netsh command-line tool that you can use to configure NPS by using the command line, batch files, or scripts. For more information, see Netsh Commands for Network Policy Server. |
SDO Layer - Read-Write |
Netsh NPS loads its own copy of the SDO DLLs, and both reads information from and writes information to the SDO Layer. |
IAShost.exe |
A process of NPS that hosts the DataStore Component Object Model (COM) server. At runtime, there is a single instance of IAShost.exe to which other components, such as the NPS service, the NPS MMC, and Netsh NPS, read and write NPS configuration data. |
DataStore COM server |
A service within IAShost.exe that manages read operations from Dnary.xml and both read and write operations to IAS.xml. By using the Distributed COM (DCOM) interface, the following components use the DataStore COM server to access the NPS server configuration: the NPS service on the local computer; the Netsh commands for NPS on the local computer; the NPS console or MMC snap-in on the local computer; and the NPS MMC snap-in on remote NPS servers. |
IAS.xml |
An extensible markup language (XML) file stored on the local hard drive that contains NPS configuration information. IAShost.exe reads information from and writes information to IAS.xml. By default, the IAS.xml file location is %windir%\System32\ias. |
Dnary.xml |
Dnary.xml is an extensible markup language (XML) file stored on the local hard drive that contains the NPS library of RADIUS attributes. IAShost.exe reads information from Dnary.xml. By default, the Dnary.xml file location is %windir%\System32\ias. |
Local log file |
When the NPS accounting configuration specifies the recording of accounting data in a local log file (either database-compatible format or IAS format), the text file is stored on the local hard drive. By default, the local log file location is %windir%\system32\LogFiles |
External Dependencies
NPS has the following dependencies on external components. The dependency does not exist, however, unless NPS is configured to use the external resource. For example, NPS is not dependent on SQL Server unless NPS is configured to use SQL Server logging.
| Component | Description |
|---|---|
LDAP queries |
When an NPS server is a member of an Active Directory domain, Lightweight Directory Access Protocol (LDAP) queries are sent to global catalog servers when NPS performs authentication against the Active Directory Domain Services (AD DS) user account database. Query results are then sent back to NPS. If an NPS server is not a domain member, authentication is performed against the local SAM database rather than against a domain controller. |
AD DS |
NPS performs authentication against the credentials stored in the AD DS user accounts database during the authentication process, and checks user account dial-in properties during the authorization process. |
NAP |
Network Access Protection allows NPS to function as a health policy server, verifying that NAP-capable computers connecting to the network are compliant with health policy. |
QSHVHost |
QSHVHost is a NAP component required to facilitate communication between NPS and other NAP components. |
EAP |
When EAP authentication is configured in a connection request policy or network policy and the Access-Request matches a policy, NPS uses EAP authentication to verify the identity of the access client or user. |
EAPHost |
When configured to use EAP authentication, NPS uses EAPHost during the authentication process. In Windows Server 2008 and Windows Vista, EAPHost updates the EAP implementation in Windows for the latest Internet standards and provides a new modular architecture to extend Windows with EAP authentication methods and supplicants. |
Accounting data (XML document) |
When NPS is configured to use SQL Server logging, it sends accounting data in an XML document to the SQL Server database for processing and storage in the database. |
SQL Server |
The SQL Server database is configured with a stored procedure that receives and processes the incoming XML document from NPS, in addition to a database where the NPS data is stored. |
RADIUS extension DLLs and NPS architecture
When you incorporate RADIUS extension DLLs into the NPS architecture, you are modifying the NPS policy engine in such a way that Access-Request messages are processed in a different manner. The primary differences are:
If you install an authentication extension DLL, NPS calls the DLL before performing authentication and authorization.
If you install an authorization extension DLL, NPS performs authentication and authorization before calling the authorization DLL.
For more information about extension DLLs, see About NPS Extensions.