Setup Wizard - User Accounts

Applies To: Windows Server 2008

After a remote access server is installed, you must specify from which users the remote access server can accept a connection. For a server running Routing and Remote Access, authorization is determined by the dial-in properties on the user account, the network policies, or both. For more information, see Network Policies.

You do not need to create user accounts just for remote access users. Remote access servers use the user accounts specified in the available user accounts databases.

How security works at connection

The following steps describe what happens during a call from a remote access client to a server running Routing and Remote Access that is configured to use Windows Authentication:

  1. A remote access client dials a remote access server.

  2. The server sends a challenge to the client.

  3. The client sends an encrypted response to the server that consists of a user name, a domain name, and a password.

  4. The server checks the response against the appropriate user accounts database.

  5. If the account is valid and the authentication credentials are correct, the server uses the dial-in properties of the user account and network policies to authorize the connection.

If callback is enabled, the server hangs up the connection, calls the client back, and continues the connection negotiation process.

Note


  • Steps 2 and 3 assume that the remote access client and the remote access server use the MS-CHAP v2 or CHAP authentication protocols. The sending of client credentials may vary for other authentication protocols.

  • If the remote access server is a member of domain and the user response does not contain a domain name, then the domain name of the remote access server is used. If you want to use a different domain name than that of the remote access server, set the following registry value on the remote access client to the name of the domain that you want to use:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\PPP\ControlProtocols\BuiltIn\DefaultDomain

Warning

Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Security after the connection is made

Credentials used for remote access only provide a communication channel to the target network. The client does not log on to the network as a result of a remote access connection. Each time the client attempts to access a network resource, it will be challenged for credentials. If it does not respond to the challenge with acceptable credentials, the access attempt will fail. Windows Vista® and the Windows Server® 2008 family adds a feature to simplify remote access. After a successful connection, Windows Vista and Windows Server 2008 family remote access clients will cache these credentials as default credentials for the duration of the remote access connection. When a network resource challenges the remote access client, the client provides the cached credentials without requiring the user to enter them again.