Connection Security Rule Wizard: Authentication Method Page

Published: January 20, 2009

Updated: January 20, 2009

Applies To: Windows 7, Windows Server 2008 R2

Use these settings to configure the type of authentication used by this connection security rule.

noteNote
Not all of the authentication methods listed here are available for all connection security rule types. The authentication methods available for the rule type are displayed on the Authentication Method page of the New Connection Security Rule Wizard and on the Authentication tab on the Connection Security Rule Properties page.

For more information about the authentication methods, see IPsec Algorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?linkid=129230).

  1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule.

  2. Click Next until you reach the Authentication Method page.

This option is available only when you specify an Isolation or Custom rule type.

Select this option to use the authentication method currently displayed on the Windows Firewall with Advanced Security Properties dialog box, on the IPsec Settings tab, under Authentication Method. For more information about customizing the default options, see Dialog Box: Customize IPsec Settings.

This option is available only when you specify an Isolation or Custom rule type.

Select this option to use both computer and user authentication with the Kerberos version 5 protocol. It is equivalent to selecting Advanced, adding Computer (Kerberos V5) for first authentication and User (Kerberos V5) for second authentication, and then clearing both First authentication is optional and Second authentication is optional.

This option is available only when you specify an Isolation or Custom rule type.

Select this option to use computer authentication with the Kerberos version 5 protocol. It is equivalent to selecting Advanced, adding Computer (Kerberos V5) for first authentication, and then selecting Second authentication is optional.

This option is available only when you specify a Server-to-server or Tunnel rule type.

Select this option to use computer authentication based on a computer certificate. It is equivalent to selecting Advanced, adding Computer certificate for first authentication, and then selecting Second authentication is optional.

Specify the signing algorithm used to cryptographically secure the certificate.

Select this option if the certificate is signed by using the RSA public-key cryptography algorithm.

Select this option if the certificate is signed by using the Elliptic Curve Digital Signature Algorithm (ECDSA) with 256-bit key strength.

Select this option if the certificate is signed by using ECDSA with 384-bit key strength.

Specify the type of certificate by identifying the store in which the certificate is located.

Select this option if the certificate was issued by a root certification authority (CA) and is stored in the local computer’s Trusted Root Certification Authorities certificate store.

Select this option if the certificate was issued by an intermediate CA and is stored in the local computer’s Intermediate Certification Authorities certificate store.

This option restricts the use of computer certificates to those that are marked as heath certificates. Health certificates are published by a CA in support of a Network Access Protection (NAP) deployment. NAP lets you define and enforce health policies so that computers that do not comply with network requirements, such as computers without antivirus software or those that do not have the latest software updates, are less likely to access your network. To implement NAP, you need to configure NAP settings on both server and client computers. NAP Client Management, a Microsoft Management Console (MMC) snap-in, helps you configure NAP settings on your client computers. For more information, see the NAP MMC snap-in Help. To use this option, you must have a NAP server set up in the domain.

This option is available when you specify any rule type.

Select this option to configure any available authentication method. You must then click Customize and specify a list of methods for both first authentication and second authentication. For more information, see Dialog Box: Customize Advanced Authentication Methods, Dialog Box: Add or Edit First Authentication Method, and Dialog Box: Add or Edit Second Authentication Method.

After you create the connection security rule, you can change these settings in the Connection Security Rule Properties dialog box. This dialog box opens when you double-click a rule in Connection Security Rules. To change the authentication methods used by this rule, select the Authentication tab.

Community Additions

ADD
Show: